XML

XHTML Developer, ASP.NET Developer, Web Developer

2010-12-25T08:26:00.000-08:00

XHTML Developer, ASP.NET Developer, Web Developer

Cloud Computing, SOA and Windows Azure

2010-08-13T23:52:00.000-07:00

"The Windows Azure platform is an Internet-scale cloud computing
services platform hosted in Microsoft data centers. Windows tools
provide functionality to build solutions that include a cloud services
operating system and a set of developer services. The key parts of the
Windows Azure platform are: Windows Azure -- application container,
Microsoft SQL Azure, and Windows Azure platform AppFabric

The Windows Azure platform is part of the Microsoft cloud, which
consists of multiple categories of services: (1) Cloud-based
applications: These are services that are always available and highly
scalable. They run in the Microsoft cloud that consumers can directly
utilize. Examples include Bing, Windows Live Hotmail, Office.
(2) Software services: These services are hosted instances of
Microsoft's enterprise server products that consumers can use directly.
Examples include Exchange Online, SharePoint Online, Office
Communications Online, etc. (3) Platform services: This is where the
Windows Azure platform itself is positioned. It serves as an application
platform public cloud that developers can use to deploy next-generation,
Internet-scale, and always available solutions. (4) Infrastructure
services: There is a limited set of elements of the Windows Azure
platform that can support cloud-based infrastructure resources.

SQL Azure is a cloud-based relational database service built on SQL
Server technologies that exposes a fault-tolerant, scalable, and
multi-tenant database service. SQL Azure does not exist as hosted
instances of SQL Server. It also uses a cloud fabric layer to abstract
and encapsulate the underlying technologies required for provisioning,
server administration, patching, health monitoring, and lifecycle
management.

Summary of Key Points: (1) The Windows Azure platform is primarily a
PaaS deployed in a public cloud managed by Microsoft. (2) Windows Azure
platform provides a distinct set of capabilities suitable for building
scalable and reliable cloud-based services. (3) The overall Windows
Azure platform further encompasses SQL Azure and Windows Azure platform
AppFabric." More Info See also XML in Clinical Research and Healthcare Industries:

Computers in Patient Care: The Promise and the Challenge

2010-08-13T23:51:00.000-07:00

"Why is it that in terms of automating medical information, we are
still attempting to implement concepts that are decades old? With all
of the computerization of so many aspects of our daily lives, medical
informatics has had limited impact on day-to-day patient care. We have
witnessed slow progress in using technology to gather, process, and
disseminate patient information, to guide medical practitioners in
their provision of care and to couple them to appropriate medical
information for their patients' care...

The first challenge in applying medical informatics to the daily
practice of care is to decide how computerization can help patient care
and to determine the necessary steps to achieve that goal. Several
other early attempts were made to apply computerization to health
care. Most were mainframe-based, driving 'dumb' terminals. Many dealt
only with the low-hanging fruit of patient order entry and results
reporting, with little or no additional clinical data entry. Also,
many systems did not attempt to interface with the information
originator (e.g., physician) but rather delegated the system use to
a hospital ward clerk or nurse, thereby negating the possibility of
providing medical guidance to the physician, such as a warning about
the dangers of using a specific drug.

We have made significant technological advances that solve many of
these early shortcomings. Availability of mass storage is no longer a
significant issue. Starting with a 7-MB-per-freezer-size-disk drive
(which was not very reliable), we now have enterprise storage systems
providing extremely large amounts of storage for less than $1 per
gigabyte, and they don't take up an entire room. This advance in
storage has been accompanied by a concomitant series of advances in
file structures, database design, and database maintenance utilities,
greatly simplifying and accelerating data access and maintenance.
[But] if we truly want to develop an information utility for
health-care delivery in an acute care setting (such as an intensive
care unit or emergency department), we need to strive for overall
system reliability at least on the order of our electric power grid...

One significant issue is the balkanization of medical computerization.
Historically, there has been little appreciation of the need for an
overall system. Instead we have a proliferation of systems that do
not integrate well with each other. For example, a patient who is
cared for in my emergency department may have his/her data spread
across nine different systems during a single visit, with varying
degrees of integration and communication among these systems: EDIS
(emergency department information system), prehospital care (ambulance)
documentation system, the hospital ADT (admission/discharge/transfer)
system, computerized clinical laboratory system, electronic data
management (medical records) imaging system, hospital pharmacy system,
vital-signs monitoring system, hospital radiology ordering system,
and PACS system...." More Info See also XML in Clinical Research and Healthcare Industries:

IETF Approves Symmetric Key Package Content Type Specification

2010-08-13T23:50:00.000-07:00

The Internet Engineering Steering Group (IESG) has announced approval
of the "Symmetric Key Package Content Type" Specification as an IETF
Proposed Standard. Hannes Tschofenig is the document shepherd for this
document, and Tim Polk is the IETF Responsible Area Director. The
specification was produced by members of the IETF Provisioning of
Symmetric Keys (KEYPROV) Working Group.

"This document provides the ASN.1 variant of the Portable Symmetric Key
Container (PSKC), which is defined using XML in the I-D 'Portable
Symmetric Key Container (PSKC)' The symmetric key container defines a
transport independent mechanism for one or more symmetric keys as well
as any associated attributes. The container by itself is insecure; it
can be secured using either the Dynamic Symmetric Key Provisioning
Protocol (DSKPP) or a CMS protecting content types, per RFC 5652. In
addition to the key container, this document also defines ASN.1 version
of the XML elements and attributes defined in PSKC.

Working Group Summary: The WG agreed that this container would be the
optional container, but there was a contingent (both in the WG and in
the IEEE) that wanted the ASN.1 container. The format for the container
has been stable since version -02. The ASN.1 converted XML elements
and attributes were added in the last version to ensure alignment with
PSKC.

Document Quality: The text of this document is derived from the XML
elements and attributes defined in draft-ietf-keyprov-pskc. As such,
this document represents the ASN.1 based version of the XML-based
counterpart. More Info See also the IETF Provisioning of Symmetric Keys (KEYPROV) Working Group:

Building an AtomPub Server Using WCF Data Services

2010-08-13T23:49:00.000-07:00

OData (odata.org) builds on the HTTP-based goodness of Atom for
publishing data; AtomPub for creating, updating and deleting data;
and the Microsoft Entity Data Model (EDM) for defining the types of
data.

If you have a JavaScript client, you can get the data back directly in
JSON instead of Atom format, and if you've got something else --
including Excel, the .Microsoft NET Framework, PHP, AJAX and more --
there are client libraries for forming OData requests and consuming
OData responses.

If you're using the .NET Framework on the server side, Microsoft also
provides an easy-to-use library called WCF Data Services for exposing
.NET Framework types or databases supported by the Microsoft Entity
Framework as OData sources. This makes it easy to expose your data
over the Internet in an HTTP- and standards-based way.

[However] there are some things that you might like to do with OData
that aren't quite part of the out-of-box experience, such as integrating
OData with existing Atom- and AtomPub-based readers and writers..." More Info

Computing Cloud Seen as Answer for Consolidated Audit Trail

2010-08-13T23:48:00.000-07:00

"FTEN, a supplier of risk management software to bulge bracket firms on
Wall Street has proposed that the Securities and Exchange Commission
rely on real-time data stored in a nationwide cloud of computing power
and networks to create an effective audit trail of stock market activity.

FTEN provides risk management, routing, surveillance, compliance and
market data services to market participants. The firm proposed in a
letter to the SEC look to already deployed and commercially available
systems that capture order and execution data in real-time from stock
exchanges, electronic communication networks, alternative trading systems
and dark pools to start creating the trail.

The data from all markets then could be mapped back to a unified
format that would create a normalized set of data that regulators
could review in real time for signs of market disruptions or abuse...

Ted Myerson, FTEN CEO said FTEN's commercially deployed At-Trade secure
data cloud already aggregages data from 50 sources, with a wide variety
of symbol directories, unifies it into a common format and feeds it back
to private firms... FTEN says it provides real-time risk management and
surveillance on as many as 17 billion shares of stock a day in the
United States. That, it says, equates to risk calculations involving
$150 billion worth of shares a day... FTEN did not put a price tag on
what it would take the securities industry to build out a consolidated
audit trail system based on its At-Trade cloud of compute power and
online data..." More Info

The Arrival of HTML 5: Lots of New Features, All Eagerly Awaited

2010-08-13T23:46:00.000-07:00

"HTML (Hyper Text Markup Language) is one of the underpinnings
technologies of the modern web with the lion's share of web users'
Internet activities founded on it. HTML now stands on the brink of
the next change -- the coming of HTML 5. At present, the Internet
already contains a handful of HTML 5 specification outlines which
partially cover HTML 5 features and conceptions. In this article, we
review the current state of HTML and describe the most significant
HTML 5 innovations.

Offline Potential: Some time ago, a new specification for client-side
database support with interesting applications was introduced. While
this feature had vast potential, it has been excluded from current
specification drafts due to insufficient interest from vendors which
use various SQL back-ends. As such, the only offline feature currently
available in HTML 5 is flexible online/offline resources management
using cache manifests. Cache manifests allow an author of a document
to specify which referenced resources must be cached in browser data
store (e.g., static images, external CSS and JavaScript files) and
which must be retrieved from a server (e.g., time-sensitive data like
stock price graphs, responses from web services invoked from within
JavaScript). The manifest also provides means for specifying fallback
offline replacements for resources which must not be cached. This
mechanism gives the ability to compose HTML documents which can be
viewed offline.

REST in Forms: REST application can be characterized by a clear
separation between clients and servers, stateless communications with
the server (no client context is stored on the server between requests)
and uniform client-server protocol that can be easily invoked from other
clients. Applied to HTTP, it encourages usage of URI for identifying
all entities and standard HTTP methods like GET (retrieve), POST (change),
PUT (add) and DELETE (remove) for entity operations. HTML 5 now fully
supports issuing PUT and DELETE requests from HTML forms without any
workarounds. This is an unobtrusive, but ideologically important
innovation which brings more elegance into web architecture and simplifies
development of HTML UI for REST services.

Communicating Documents: Now documents opened in browsers can exchange
data using messages. Such data exchange may be useful on a web page
that includes several frames with the data loaded from different origins.
Usually, a browser does not allow JavaScript code to access/manipulate
the objects of other documents opened from a different origin. This is
done to prevent cross-site scripting and other malicious and destructive
endeavors..." More Info See also HTML5 differences from HTML4:

2010-08-13T23:45:00.000-07:00

Members of the W3C Device APIs and Policy Working Group have published
a First Public Working Draft for "The Messaging API". The WG was
chartered to create client-side APIs that enable the development of Web
Applications and Web Widgets that interact with devices services such
as Calendar, Contacts, Camera... This document "represents the early
consensus of the group on the scope and features of the proposed
Messaging API; in particular, the group intends to work on messages
management (move, delete, copy, etc.) in a separate specification.
Issues and editors note in the document highlight some of the points
on which the group is still working and would particularly like to
receive feedback.

The Messaging API specification defines a high-level interface to
Messaging functionality, including SMS, MMS and Email. It includes
APIs to create, send and receive messages. The specification does not
replace RFCs for Mail or SMS URLs, but includes complementary
functionality to these.

Security: The API defined in this specification can be used to create
and subscribe for incoming messages through different technologies.
Sending messages usually have a cost associated to them, especially
SMSs and MMSs. Furthermore this cost may depend on the message attributes
(e.g. destination address) or external conditions (e.g. roaming status).
Apart from billing implications, there are also privacy considerations
due to the capability to access message contents. A conforming
implementation of this specification must provide a mechanism that
protects the user's privacy and this mechanism should ensure that no
message is sent or no subscription is establisehd without the user's
express permission.

A user agent must not send messages or subscribe for incoming ones
without the express permission of the user. A user agent must acquire
permission through a user interface, unless they have prearranged
trust relationships with users, as described below. The user interface
must include the URI of the document origin, as defined in HTML 5... A
user agent may have prearranged trust relationships that do not require
such user interfaces. For example, while a Web browser will present a
user interface when a Web site request an SMS subscription, a Widget
Runtime may have a prearranged, delegated security relationship with
the user and, as such, a suitable alternative security and privacy
mechanism with which to authorize that operation...." More Infor

Public Data: Translating Existing Models to RDF

2010-03-18T22:31:00.001-07:00

"As we encourage linked data adoption within the UK public sector,something we run into again and again is that (unsurprisingly) particulardomain areas have pre-existing standard ways of thinking about the datathat they care about. There are existing models, often with multipleserialisations, such as in XML and a text-based form, that are supportedby existing tool chains. In contrast, if there is existing RDF in thatdomain area, it's usually been designed by people who are more interestedin the RDF than in the domain area, and is thus generally more focusedon the goals of the typical casual data re-user rather than theprofessionals in the area...
To give an example, the international statistics community uses SDMXfor representing and exchanging statistics... SDMX includes a well-thoughtthrough model for statistical datasets and the observations within them,as well as standard concepts for things like gender, age, unit multipliersand so on. By comparison, SCOVO, the main RDF model for representingstatistics, barely scratches the surface in comparison. This isn't theonly example: the INSPIRE Directive defines how geographic informationmust be made available. GEMINI defines the kind of geospatial metadatathat that community cares about. The Open Provenance Model is the resultof many contributors from multiple fields, and again has a number ofserialisations.
You could view this as a challenge: experts in their domains already havemodels and serialisations for the data that they care about; how can wepersuade them to adopt an RDF model and serialisations instead? Butthat's totally the wrong question. Linked data doesn't, can't and won'treplace existing ways of handling data. The question is really abouthow to enable people to reap these benefits; the answer, becauseHTTP-based addressing and typed linkage is usually hard to introduceinto existing formats, is usually to publish data using an RDF-basedmodel alongside existing formats. This might be done by generating anRDF-based format (such as RDF/XML or Turtle) as an alternative to thestandard XML or HTML, accessible via content negotiation, or byproviding a GRDDL transformation that maps an XML format into RDF/XML...
Modelling is a complex design activity, and you're best off avoidingdoing it if you can. That means reusing conceptual models that have beenbuilt up for a domain as much as possible and reusing existing vocabularieswherever you can. But you can't and shouldn't try to avoid doing designwhen mapping from a conceptual model to a particular modelling paradigmsuch as a relational, object-oriented, XML or RDF model. If you'remapping to RDF, remember to take advantage of what it's good at suchas web-scale addressing and extensibility, and always bear in mind howeasy or difficult your data will be to query. There is no pointpublishing linked data if it is unusable..."
http://www.jenitennison.com/blog/node/142See also Linked Data: http://www.w3.org/standards/semanticweb/data

There is REST for the Weary Developer

2010-03-18T22:30:00.000-07:00

This brief article provides an example of working with theRepresentational State Transfer style of software architecture. REST(Representational State Transfer) is a style of software architecturefor accessing information on the Web. The RESTful service refers toweb services as resources that use XML over the HTTP protocol. Theterm REST dates back to 2000, when Roy Fielding used it in his doctoraldissertation. The W3C recommends using WSDL 2.0 as the language fordefining REST web services. To explain REST, we take an example ofpurchasing items from a catalog application...
First we will define CRUD operations for this service as following. Theterm CRUD stands for basic database operations Create, Read, Update, andDelete. In the example, you can see that creating a new item with Idis not supported. When a request for new item is received, Id is createdand assigned to the new item. Also, we are not supporting the updateand delete operations for the collection of items. Update and delete aresupported for the individual items...
Interface documents: How does the client know what to expect in returnwhen it makes a call for CRUD operations? The answer is the interfacedocument. In this document you can define the CRUD operation mapping,Item.xsd file, and request and response XML. You can have separate XSDfor request and response, or response can have text such as 'success'in return for the methods other than GET...
There are other frameworks available for RESTful Services. Some of themare listed here: Sun reference implementation for JAX-RS code-namedJersey, where Jersey uses a HTTP web server called Grizzly, and theServlet Grizzly Servlet; Ruby on Rails; Restlet; Django; Axis2a.
http://www.devx.com/architect/Article/44341

Now IBM's Getting Serious About Public IaaS

2010-03-18T22:29:00.004-07:00

James Staten, Forrester Blog

"IBM has been talking a good cloud game for the last year or so. Theyhave clearly demonstrated that they understand what cloud computingis, what customers want from it and have put forth a variety of offeringsand engagements to help customers head down this path -- mostly throughinternal cloud and strategic rightsourcing options.
But its public cloud efforts, outside of application hosting have beena bit of wait and see. Well the company is clearly getting its acttogether in the public cloud space with today's announcement of theSmart Business Development and Test Cloud, a credible public Infrastructureas a Service (IaaS) offering. This new service is an extension of itsdeveloperWorks platform and gives its users a virtual environment throughwhich they can assemble, integrate and validate new applications. Pricingon the service is as you would expect from an IaaS offering, and freefor a limited time...
Certainly any IaaS can be used for test and development purposes so IBMisn't breaking new ground here. But its off to a solid start with statedsupport from test and dev specialist partners SOASTA, VMLogix, AppFirstand Trinity Software bring their tools to the IBM test cloud..."
http://blogs.forrester.com/james_staten/10-03-16-now_ibm%E2%80%99s_getting_serious_about_public_iaasSee also Jeffrey Schwartz in GCN: http://gcn.com/articles/2010/03/17/ibm-public-cloud-service.aspx

Aggregative Digital Libraries: D-NET Software Toolkit and OAIster System

2010-03-18T22:29:00.003-07:00

"Aggregative Digital Library Systems (ADLSs) provide end users with webportals to operate over an information space of descriptive metadatarecords, collected and aggregated from a pool of possibly heterogeneousrepositories. Due to the costs of software realization and systemmaintenance, existing "traditional" ADLS solutions are not easilysustainable over time for the supporting organizations. Recently, theDRIVER EC project proposed a new approach to ADLS construction, basedon Service-Oriented Infrastructures. The resulting D-NET software toolkitenables a running, distributed system in which one or multipleorganizations can collaboratively build and maintain theirservice-oriented ADLSs in a sustainable way. Aggregative Digital LibrarySystems (ADLSs) typically address two main challenges: (1) populating aninformation space of metadata records by harvesting and normalizingrecords from several OAI-PMH compatible repositories; and (2) providingportals to deliver the functionalities required by the user communityto operate over the aggregated information space, for example, search,annotations, recommendations, collections, user profiling, etc.
Repositories are defined here as software systems that typically offerfunctionalities for storing and accessing research publications andrelative metadata information. Access usually has the twofold form ofsearch through a web portal and bulk metadata retrieval through OAI-PMHinterfaces. In recent years, research institutions, university libraries,and other organizations have been increasingly setting up repositoryinstallations (based on technologies such as Fedora, ePrints, DSpace,Greenstone, OpenDlib, etc) to improve the impact and visibility of theiruser communities' research outcomes.
In this paper, we advocate that D-NET's 'infrastructural' approach toADLS realization and maintenance proves to be generally more sustainablethan 'traditional' ones. To demonstrate our thesis, we report on thesustainability of the 'traditional' OAIster System ADLS, based on DLXSsoftware (University of Michigan), and those of the 'infrastructural'DRIVER ADLS, based on D-NET.
As an exemplar of traditional solutions we rely on the well-known OAIsterSystem, whose technology was realized at the University of Michigan.The analysis will show that constructing static or evolving ADLSs usingD-NET can notably reduce software realization costs and that, forevolving requirements, refinement costs for maintenance can be mademore sustainable over time..."
http://www.dlib.org/dlib/march10/manghi/03manghi.html

Definitions for Expressing Standards Requirements in IANA Registries

2010-03-18T22:29:00.001-07:00

The Internet Engineering Steering Group (IESG) has received a requestto consider the specification "Definitions for Expressing StandardsRequirements in IANA Registries" as a Best Current Practice RFC (BCP).The IESG plans to make a decision in the next few weeks, and solicitsfinal comments on this action; please send substantive comments to theIETF mailing lists by 2010-04-14.
Abstract: "RFC 2119 defines words that are used in IETF standardsdocuments to indicate standards compliance. These words are fine fordefining new protocols, but there are certain deficiencies in usingthem when it comes to protocol maintainability. Protocols are maintainedby either updating the core specifications or via changes in protocolregistries. For example, security functionality in protocols oftenrelies upon cryptographic algorithms that are defined in externaldocuments. Cryptographic algorithms have a limited life span, and newalgorithms regularly phased in to replace older algorithms. This documentproposes standard terms to use in protocol registries and possibly instandards track and informational documents to indicate the life cyclesupport of protocol features and operations.
The proposed requirement words for IANA protocol registries include thefollowing. (1) MANDATORY This is the strongest requirement and for animplementation to ignore it there MUST be a valid and serious reason.(2) DISCRETIONARY, for Implementations: Any implementation MAY or MAYNOT support this entry in the protocol registry. The presence oromission of this MUST NOT be used to judge implementations on standardscompliance (and for) Operations: Any use of this registry entry inoperation is supported, ignoring or rejecting requests using this protocolcomponent MUST NOT be used as bases for asserting lack of compliance.(3) OBSOLETE for Implementations means new implementations SHOULD NOTsupport this functionality, and for Operations, means any use of thisfunctionality in operation MUST be phased out. (4) ENCOURAGED: Thisword is added to the registry entry when new functionality is added andbefore it is safe to rely solely on it. Protocols that have the abilityto negotiate capabilities MAY NOT need this state. (5) DISCOURAGED meansthis requirement is placed on an existing function that is being phasedout. This is similar in spirit to both MUST- and SHOULD- as defined andused in certain RFC's such as RFC 4835. (6) RESERVED: Sometimes thereis a need to reserve certain values to avoid problems such as valuesthat have been used in implementations but were never formally registered.In other cases reserved values are magic numbers that may be used inthe future as escape valves if the number space becomes too small. (7)AVAILABLE is a value that can be allocated by IANA at any time..."
This document is motivated by the experiences of the editors in tryingto maintain registries for DNS and DNSSEC. For example, DNS defines aregistry for hash algorithms used for a message authentication schemecalled TSIG, the first entry in that registry was for HMAC-MD5. TheDNSEXT working group decided to try to decrease the number of algorithmslisted in the registry and add a column to the registry listing therequirements level for each one. Upon reading that HMAC-MD5 was taggedas 'OBSOLETE' a firestorm started. It was interpreted as the DNScommunity making a statement on the status of HMAC-MD5 for all uses.
http://xml.coverpages.org/draft-ogud-iana-protocol-maintenance-words-03.txtSee also 'Using MUST and SHOULD and MAY': http://www.ietf.org/tao.html#anchor42

New Models of Human Language to Support Mobile Conversational Systems

2010-03-18T22:28:00.002-07:00

W3C has announced a Workshop on Conversational Applications: Use Casesand Requirements for New Models of Human Language to Support MobileConversational Systems. The workshop will be held June 18-19, 2010in New Jersey, US, hosted by Openstream. The main outcome of theworkshop will be the publication of a document that will serve as aguide for improving the W3C language model. W3C membership is notrequired to participate in this workshop. The current program committeeconsists of: Paolo Baggia (Loquendo), Daniel C. Burnett (Voxeo),Deborah Dahl (W3C Invited Expert), Kurt Fuqua (Cambridge Mobile),Richard Ishida (W3C), Michael Johnston (AT&T), James A. Larson (W3CInvited Expert), Sol Lerner (Nuance), David Nahamoo (IBM), Dave Raggett(W3C), Henry Thompson (W3C/University of Edinburgh), and Raj Tumuluri(Openstream).
"A number of developers of conversational voice applications feel thatthe model of human language currently supported by W3C standards suchas SRGS, SISR and PLS is not adequate and that developers need newcapabilities in order to support more sophisticated conversationalapplications. The goal of the workshop therefore is to understand thelimitations of the current W3C language model in order to develop amore comprehensive model. We plan to collect and analyze use cases andprioritize requirements that ultimately will be used to identifyimprovements to the W3C language model. Just as W3C developed SSML 1.1to broaden the languages for which SSML is useful, this effort willresult in improved support for language capabilities that areunsupported today.
Suggested Workshop topics for position papers include: (1) Use casesand requirements for grammar formalisms more powerful than SRGS'scontext free grammars that are needed to implement tomorrow'sapplications (2) What are the common aspects of human language modelsfor different languages that can be factored into reusable modules?(3) Use cases and requirements for realigning/extending SRGS, PLS andSISR to support more powerful human language models (4) Use cases andrequirements for sharing grammars among concurrent applications (5) Usecases that illustrate requirements for natural language capabilitiesfor conversational dialog systems that cannot easily be implementedusing the current W3C conversational language model. (6) Use cases andrequirements for speech-enabled applications that can be used acrossmultiple languages (English, German, Spanish, ...) with only minormodifications. (7) Use cases and requirements for composing thebehaviors of multiple speech-enabled applications that were developedindependently without requiring changes to the applications. (8) Usecases and requirements motivating the need to resolve ellipses andanaphoric references to previous utterances.
Position papers, due April 2, 2010, must describe requirements and usecases for improving W3C standards for conversational interaction andhow the use cases justify one or more of these topics: Formal notationsfor representing grammar in: Syntax, Morphology, Phonology, Prosodics;Engine standards for improvement in processing: Syntax, Morphology,Phonology, Lexicography; Lexicography standards for: parts-of-speech,grammatical features and polysemy; Formal semantic representation ofhuman language including: verbal tense, aspect, valency, plurality,pronouns, adverbs; Efficient data structures for binary representationand passing of: parse trees, alternate lexical/morphologic analysis,alternate phonologic analysis; Other suggested areas or improvementsfor standards based conversational systems development..."
http://www.w3.org/2010/02/convapps/cfpSee also W3C Workshops: http://www.w3.org/2003/08/Workshops/

Integrating Composite Applications on the Cloud Using SCA

2010-03-18T22:28:00.001-07:00

"Elastic computing has made it possible for organizations to use cloudcomputing and a minimum of computing resources to build and deploy anew generation of applications. Using the capabilities provided bythe cloud, enterprises can quickly create hybrid composite applicationson the cloud using the best practices of service-component architectures(SCA).
Since SCA promotes all the best practices used in service-orientedarchitectures (SOA), building composite applications using SCA is oneof the best guidelines for creating cloud-based composite applications.Applications created using several different runtimes running on thecloud can be leveraged to create a new component , as well as hybridcomposite applications which scale on-demand with private/public cloudmodels can also be built using secure transport data channels.
In this article, we show how to build and integrate composite applicationsusing Apache Tuscany, the Eucalyptus open source cloud framework, andOpenVPN to create a hybrid composite application. To show that distributedapplications comprising of composite modules (distributed across thecloud and enterprise infrastructure) can be integrated and function asa single unit using SCA without compromising on security, we create acomposite application that components spread over different domainsdistributed across the cloud and the enterprise infrastructure. We thenuse SCA to host and integrate this composite application so that itfulfills the necessary functional requirements. To ensure informationand data security, we set up a virtual private network (VPN) betweenthe different domains (cloud and enterprise), creating a point-to-pointencrypted network which provides secure information exchange betweenthe two environments...
This project illustrates that distributed applications comprising ofcomposite modules (distributed across the cloud and EnterpriseInfrastructure) can be integrated and made to function as a single unitusing Service Component Architecture (SCA) without compromising onsecurity..."
http://www.drdobbs.com/web-development/223800269

IETF Update: Specification for a URI Template

2010-03-18T22:27:00.000-07:00

A revised version of the IETF Standards Track Internet Draft "URI Template"has been published. From the abstract: "A URI Template is a compactsequence of characters for describing a range of Uniform ResourceIdentifiers through variable expansion. This specification defines theURI Template syntax and the process for expanding a URI Template intoa URI, along with guidelines for the use of URI Templates on the Internet.
Overview: "A Uniform Resource Identifier (URI) is often used to identifya specific resource within a common space of similar resources... URITemplates provide a mechanism for abstracting a space of resourceidentifiers such that the variable parts can be easily identified anddescribed. URI templates can have many uses, including discovery ofavailable services, configuring resource mappings, defining computed links,specifying interfaces, and other forms of programmatic interaction withresources.
A URI Template provides both a structural description of a URI space and,when variable values are provided, a simple instruction on how to constructa URI corresponding to those values. A URI Template is transformed intoa URI-reference by replacing each delimited expression with its value asdefined by the expression type and the values of variables named withinthe expression. The expression types range from simple value expansionto multiple key=value lists. The expansions are based on the URI genericsyntax, allowing an implementation to process any URI Template withoutknowing the scheme-specific requirements of every possible resulting URI.
A URI Template may be provided in absolute form, as in the examples above,or in relative form if a suitable base URI is defined... A URI Templateis also an IRI template, and the result of template processing can berendered as an IRI by transforming the pct-encoded sequences to theircorresponding Unicode character if the character is not in the reservedset... Parsing a valid URI Template expression does not require buildinga parser from the given ABNF. Instead, the set of allowed characters ineach part of URI Template expression has been chosen to avoid complexparsing, and breaking an expression into its component parts can beachieved by a series of splits of the character string. Example Pythoncode [is planned] that parses a URI Template expression and returns theoperator, argument, and variables as a tuple..."
http://xml.coverpages.org/draft-gregorio-uritemplate-04.txt

What Standardization Will Mean For Ruby

2010-03-18T07:33:00.001-07:00

Mirko Stocker, InfoQueue
Ruby's inventor Matz announced plans to standardize Ruby in order to"improve the compatibility between different Ruby implementations [..]and to ease Ruby's way into the Japanese government". The firstproposal for standardization will be to the Japanese IndustrialStandards Committee and in a further step to the ISO, to become aninternational standard. For now, a first draft (that weighs in at over300 pages) and official announcement are available. Alternatively,there's a wiki under development to make the standard available inHTML format.A very different approach to unite Ruby implementations is theRubySpec project -- a community driven effort to build an executablespecification. RubySpec is an offspring of the Rubinius project...[But] What do our readers think: will it be easier to introduce Rubyin their organizations if there's an ISO standard behind it?"According to RubySpec lead Brian Ford: "I think the ISO Standardizationeffort is very important for Ruby, both for the language and for thecommunity, which in my mind includes the Ruby programmers, people whouse software written in Ruby, and the increasing number of businessesbased on or using software written in Ruby. The Standardization documentand RubySpec are complementary in my view. The document places primaryimportance on describing Ruby in prose with appropriate formattingformalities. The document envisions essentially one definition of Ruby.RubySpec, in contrast, places primary importance on code that demonstratesthe behavior of Ruby. However, RubySpec also emphasizes describing Rubyin prose as an essential element of the executable specification and isthe reason we use RSpec-compatible syntax. RubySpec also attempts tocapture the behavior of the union of all Ruby implementations. Itprovides execution guards that document the specs for differences betweenimplementations. For example, not all platforms used to implement Rubysupport forking a process. So the specs have guards for whichimplementations provide that feature... This illustrates an importantdifference between the ISO Standardization document and RubySpec. TheISO document can simply state that a particular aspect of the languageis "implementation defined" and provide no further guidance. Unfortunately,implementing such a standard can be difficult, as we have seen withthe confusion caused by various browser vendors attempting to implementCSS. RubySpec attempts to squeeze the total number of unspecified Rubybehaviors to the smallest size possible..."http://www.infoq.com/news/2010/03/ruby-standardizationSee also the Ruby Standard Wiki: http://wiki.ruby-standard.org/wiki/Main_Page

New Release of Oxygen XML Editor and Oxygen XML Author Supports DITA

2010-03-18T07:32:00.002-07:00

Developers of the Oxygen XML Editor and Author toolsuite have announcedthe immediate availability of version 11.2 of the XML Editor and XMLAuthor containing a comprehensive set of tools supporting all the XMLrelated technologies. Oxygen combines content author features like theCSS driven Visual XML editor with a fully featured XML developmentenvironment. It has ready to use support for the main document frameworksDITA, DocBook, TEI and XHTML and also includes support for all XML Schemalanguages, XSLT/XQuery Debuggers, WSDL analyzer, XML Databases, XMLDiff and Merge, Subversion client and more.New features in version 11.2: Version 11.2 of Oxygen XML Editor improvesthe XML authoring, the XML development tools, the support for largedocuments and the SVN Client. The visual XML editing (Author mode) isavailable now as a separate component that can be integrated in Javaapplications or, as an Applet, in Web applications. A sample Webapplication showing the Author component in the browser, as an Applet,editing DITA documents is available...Other XML Author improvements include support for preserving theformatting for unchanged elements and an updated Author API containinga number of new extensions that allow customizing the Outline, theBreadcrumb and the Status Bar. The XSLT Debugger provides more flexibilityand it is the first debugger that can step inside XPath 2.0 expressions.The Saxon 9 EE bundled with Oxygen can be used to run XQuery 1.1transformations. The XProc support was aligned with the recent updateas W3C Proposed Recommendation and includes the latest Calabash XProcprocessor.In 'Author for DITA' there is support for Reusable Components: A fragmentof a topic can be extracted in a separate file for reuse in differenttopics. The component can be reused by inserting an element with a conrefattribute where the content of the component is needed. This works withoutany additional configuration and supports any DITA specialization.Similarly, there's support for Content References Management: The DITAframework includes actions for adding, editing and removing a contentreference (conref, conkeyref, conrefend attributes) to/from an existingelement... A new schema caching mechanism allows to quickly open largeDITA Maps and their referred topics..."http://www.oxygenxml.com/index.html#new-versionSee also XML Author Component for the DITA Documentation Framework: http://www.oxygenxml.com/demo/AuthorDemoApplet/author-component-dita.html

HTML5, Hardware Accelerated: First IE9 Platform Preview Available

2010-03-18T07:32:00.001-07:00

Dean Hachamovitch, Windows Internet Explorer WeblogAt the Las Vegas MIX10 Conference, Microsoft Internet Explorerdevelopers demonstrated "how the standard web patterns that developersalready know and use broadly run better by taking advantage of PChardware through IE9 on Windows." A blog article by Dean Hachamovitchprovides an overview of what we showed, "across performance, standards,hardware-accelerated HTML5 graphics, and the availability of the IE9Platform Preview for developers...First, we showed IE9's new script engine, internally known as 'Chakra,'and the progress we've made on an industry benchmark for JavaScriptperformance... We showed our progress in making the same standards-basedHTML, script, and formatting markup work across different browsers.We shared the data and framework that informed our approach, anddemonstrated better support for several standards: HTML5, DOM, andCSS3. We showed IE9's latest Acid3 score (55); as we make progress onthe industry goal of having the same markup that developers actuallyuse working across browsers, our Acid3 score will continue to go up...In several demonstrations, we showed the significant performance gainsthat graphically rich, interactive web pages enjoy when a browser takesfull advantage of the PC's hardware capabilities through the operatingsystem. The same HTML, script, and CSS markup work across severaldifferent browsers; the pages just run significantly faster in IE9because of hardware-accelerated graphics. IE9 is also the first browserto provide hardware-accelerated SVG support...The goal of standardsand interoperability is that the same HTML, script, and formattingmarkup work the same across different browsers. Eliminating the needfor different code paths for different browsers benefits everyone,and creates more opportunity for developers to innovate.The main technologies to call out here broadly are HTML5, CSS3, DOM,and SVG. The IE9 test drive site has more specifics and samples. Atthis time, we're looking for developer feedback on our implementationof HTML5's parsing rules, Selection APIs, XHTML support, and inlineSVG. Within CSS3, we're looking for developer feedback on IE9's supportfor Selectors, Namespaces, Colors, Values, Backgrounds and Borders,and Fonts. Within DOM, we're looking for developer feedback on IE9'ssupport for Core, Events, Style, and Range... As IE makes more progresson the industry goal of 'same markup' for standards and parts ofstandards that developers actually use, the Acid3 score will continueto go up as a result. A key part of our approach to web standards isthe development of an industry standard test suite. Today, Microsofthas submitted over 100 additional tests of HTML5, CSS3, DOM, and SVGto the W3C..."http://preview.tinyurl.com/ykceeexSee also Paul Krill's InfoWorld article: http://www.infoworld.com/d/applications/microsoft-embraces-html5-specification-in-ie9-861

Open Source of ebMS V3 Message Handler and AS4 Profile on Sourceforge

2010-03-18T07:31:00.004-07:00

Holodeck is an open source version of ebXML Messaging Version 3 andits AS4 profile is now available on Sourceforge with onlinedocumentation. The ebXML Messaging V3 specification defines acommunications-protocol neutral method for exchanging electronicbusiness messages. It defines specific Web Services-based envelopingconstructs supporting reliable, secure delivery of business information.Furthermore, the specification defines a flexible enveloping technique,permitting messages to contain payloads of any format type...The OASIS specification "AS4 Profile of ebMS V3" abstract: "While ebMS3.0 represents a leap forward in reducing the complexity of Web ServicesB2B messaging, the specification still contains numerous options andcomprehensive alternatives for addressing a variety of scenarios forexchanging data over a Web Services platform. The AS4 profile of theebMS 3.0 specification has been developed in order to bring continuityto the principles and simplicity that made AS2 successful, whileadding better compliance to Web services standards, and features suchas message pulling capability and a built-in Receipt mechanism. UsingebMS 3.0 as a base, a subset of functionality is defined along withimplementation guidelines adopted based on the 'just-enough' designprinciples and AS2 functional requirements to trim down ebMS 3.0 intoa more simplified and AS2-like specification for Web Services B2Bmessaging. This document defines the AS4 profile as a combination ofa conformance profile that concerns an implementation capability, andof a usage profile that concerns how to use this implementation. Acouple of variants are defined for the AS4 conformance profile -- theAS4 ebHandler profile and the AS4 Light Client profile -- that reflectdifferent endpoint capabilities."Holodeck's primary goal is to provide an Open-Source product for B2Bmessaging based on ebXML Messaging version 3 that can be used by ebXMLcommunities as well as WebServices communities. Because ebXML Messagingversion 3 is compatible with webservices, Holodeck provides anintegration of ebXML, webservices and AS4 in one package. Holodeckcan be used in the following scenarios: (1) Pure ebXML messaging inthe B2B or within different departments of the same company. (2)Messaging Gateway to an ESB. The ESB providing an integration withina company, while Holodeck playing the gateway to communicate with theexternal world via messaging. (3) An environment where there is a needfor both Webservice consumption and heavy B2B messaging where webservices fail...Holodeck comes with a scalable architecture: datastore for messages(JDO by default, a MySQL pre-configured option, and interfaces toother databases), and streaming for large messages (based on Axis2streaming). The project is funded and maintained by Fujitsu America,Inc. This package comes with a "no coding necessary" out-of-the-boxexperience and tutorials, allowing you to deploy and test withouthaving to write code up-front, using a directory system as applicationlayer substitute to store as files elements of messages to be sent,and to receive them. Developers can download binaries and source code,and get a fresh copy directly from "Subversion" versioning system...http://ebxml.xml.org/news/open-source-of-ebms-v3-message-handler-and-its-as4-profile-on-sourceforgeSee also the Holodeck resources from SourceForge: http://holodeck-b2b.sourceforge.net/

IESG Issues Last Call Review for MODS/MADS/METS/MARCXML/SRU Media Types

2010-03-18T07:31:00.003-07:00

The Internet Engineering Steering Group (IESG) has received a requestfrom an individual submitter the following Standards Track I-D as anIETF Proposed Standard: "The Media Types application/mods+xml,application/mads+xml, application/mets+xml, application/marcxml+xml,application/sru+xml." The IESG plans to make a decision in the nextfew weeks, and solicits final comments on this action; please sendsubstantive comments to the IETF lists by 2010-04-12.This document "specifies Media Types for the following formats: MODS(Metadata Object Description Schema), MADS (Metadata AuthorityDescription Schema), METS (Metadata Encoding and Transmission Standard),MARCXML (MARC21 XML Schema), and the SRU (Search/Retrieve via URLResponse Format) Protocol response XML schema. These are all XMLschemas providing representations of various forms of informationincluding metadata and search results.The U.S. Library of Congress, on behalf of and in collaboration withvarious components of the metadata and information retrieval community,has issued specifications which define formats for representation ofvarious forms of information including metadata and search results.This memo provides information about the Media Types associated withseveral of these formats, all of which are XML schemas. (1) 'MODS:Metadata Object Description Schema' is an XML schema for a bibliographicelement set that may be used for a variety of purposes, and particularlyfor library applications. (2) 'MADS: Metadata Authority DescriptionSchema' is an XML schema for an authority element set used to providemetadata about agents (people, organizations), events, and terms(topics, geographics, genres, etc.). It is a companion to the MODSSchema. (3) 'METS: Metadata Encoding and Transmission Standard" definesan XML schema for encoding descriptive, administrative, and structuralmetadata regarding objects within a digital library.(4) 'MARCXML MARC21 XML Schema' is an XML schema for the direct XMLrepresentation of the MARC format (for which there already exists amedia type, application/marc; By 'direct XML representation'is is meantthat it encodes the actual MARC data within XML... (5) 'SRU: Search/Retrieve via URL Response Format' provides an XML schema for the SRUresponse. SRU is a protocol, and the media type 'sru+xml' pertainsspecifically to the default SRU response. the SRU response may besupplied in any of a number of suitable schemas, RSS, ATOM, for example,and the client identifies the desired format in the request, hence theneed for a media type. This mechanism will be introduced in SRU 2.0;in previous versions (that is, all versions to date; 2.0 is indevelopment) all responses are supplied in the existing default format,so no media type was necessary. SRU 2.0 is being developed within OASIS.http://xml.coverpages.org/draft-denenberg-mods-etc-media-types-01.txtSee also IANA registration for MIME Media Types: http://www.iana.org/assignments/media-types/

OASIS SCA-C-C++ Technical Committee Publishes Two Public Review Drafts

2010-03-18T07:31:00.001-07:00

Bryan Aupperle, David Haney, Pete Robbins (eds), OASIS Review DraftsMembers of the OASIS Service Component Architecture / C and C++(SCA-C-C++) Technical Committee have released two Committee Drafts forpublic review through March 25, 2010. This TC is part of the OASISOpen Composite Services Architecture (Open CSA) Member Section advancesopen standards that simplify SOA application development. Open CSAbrings together vendors and users from around the world to collaborateon standard ways to unify services regardless of programming languageor deployment platform. Open CSA promotes the further development andadoption of the Service Component Architecture (SCA) and Service DataObjects (SDO) families of specifications. SCA helps organizations moreeasily design and transform IT assets into reusable services that canbe rapidly assembled to meet changing business requirements. SDO letsapplication programmers uniformly access and manipulate data fromheterogeneous sources, including relational databases, XML data sources,Web services, and enterprise information systems."Service Component Architecture Client and Implementation Model for C++Specification Version 1.1" describes "the SCA Client and ImplementationModel for the C++ programming language. The SCA C++ implementationmodel describes how to implement SCA components in C++. A componentimplementation itself can also be a client to other services providedby other components or external services. The document describes howa C++ implemented component gets access to services and calls theiroperations. Thisdocument also explains how non-SCA C++ components canbe clients to services provided by other components or external services.The document shows how those non-SCA C++ component implementationsaccess services and call their operations.""Service Component Architecture Client and Implementation Model for CSpecification Version 1.1" describes "the SCA Client and ImplementationModel for the C programming language. The SCA C implementation modeldescribes how to implement SCA components in C. A componentimplementation itself can also be a client to other services providedby other components or external services. The document describes howa component implemented in C gets access to services and calls theiroperations. The document also explains how non-SCA C components canbe clients to services provided by other components or externalservices. The document shows how those non-SCA C componentimplementations access services and call their operations."The OASIS SCA-C-C++ TC is developing "the C and C++ programming modelfor clients and component implementations using the Service ComponentArchitectire (SCA). SCA defines a model for the creation of businesssolutions using a Service-Oriented Architecture, based on the conceptof Service Components which offer services and which make referencesto other services. SCA models business solutions as compositions ofgroups of service components, wired together in a configuration thatsatisfies the business goals. SCA applies aspects such as communicationmethods and policies for infrastructure capabilities such as securityand transactions through metadata attached to the compositions."http://docs.oasis-open.org/opencsa/sca-c-cpp/sca-cppcni-1.1-spec-cd05.htmlSee also the Model for C specification: http://docs.oasis-open.org/opencsa/sca-c-cpp/sca-ccni-1.1-spec-cd05.html

Early Draft Review for JSR-310 Specification: Date and Time API

2010-03-18T07:30:00.003-07:00

Stephen Colebourne, Michael Nascimento Santos (et al, eds), JSR DraftProject editors for Java Specification Request 310: Date and Time APIhave published an Early Draft Review (EDR) to to gain feedback on anearly version of the JSR. The contents of the EDR are the prosespecification and the javadoc. According to the original publishedRequest, JSR 310 "will provide a new and improved date and time API forJava. The main goal is to build upon the lessons learned from the firsttwo APIs (Date and Calendar) in Java SE, providing a more advanced andcomprehensive model for date and time manipulation.The new API will be targeted at all applications needing a data modelfor dates and times. This model will go beyond classes to replace Dateand Calendar, to include representations of date without time, timewithout date, durations and intervals. This will raise the quality ofapplication code. For example, instead of using an int to store aduration, and javadoc to describe it as being a number of days, thedate and time model will provide a class defining it unambiguously.The new API will also tackle related date and time issues. These includeformatting and parsing, taking into account the ISO8601 standard andits implementations, such as XML. In addition, the areas of serializationand persistence will be considered... In this specification model,dates and times are separated into two basic use cases: machine-scaleand human-scale. Machine-scale time represents the passage of timeusing a single, continually incrementing number. The rules thatdetermine how the scale is measured and communicated are typicallydefined by international scientific standards organisations. Human-scaletime represents the passage of time using a number of named fields,such as year, month, day, hour, minute and second. The rules thatdetermine how the fields work together are defined in a calendar system...From the specification introduction: "Many Java applications requirelogic to store and manipulate dates and times. At present, Java SEprovides a number of disparate APIs for this purpose, including Date,Calendar, SQL Date/Time/Timestamp and XML Duration/XMLGregorianCalendar.Unfortunately, these APIs are not all particularly well-designed andthey do not cover many use cases needed by developers. As an example,Java developers currently have no standard Java SE class to representthe concept of a date without a time, a time without a date or aduration. The result of these missing features has been widespreadabuse of the facilities which are provided, such as using the Date orCalendar class with the time set to midnight to represent a datewithout a time. Such an approach is very error-prone - there arecertain time zones where midnight doesn't exist once a year due tothe daylight saving time cutover. JSR-310 tackles this by providinga comprehensive set of date and time classes suitable for Java SEtoday. The specification includes: Date and Time; Date without Time;Time without Date; Offset from UTC; Time Zone; Durations; Periods;Formatting and Parsing; A selection of calendar systems...Design Goals for JSR-310: (1) Immutable - The JSR-310 classes shouldbe immutable wherever possible. Experience over time has shown thatAPIs at this level should consist of simple immutable objects. Theseare simple to use, can be easily shared, are inherently thread-safe,friendly to the garbage collector and tend to have fewer bugs due tothe limited state-space. (2) Fluent API - The API strives to be fluentwithin the standard patterns of Java SE. A fluent API has methodsthat are easy to read and understand, specifically when chainedtogether. The key goal here is to simplify the use and enhance thereadability of the API. (3) Clear, explicit and expected - Eachmethod in the API should be well-defined and clear in what it does.This isn't just a question of good javadoc, but also of ensuring thatthe method can be called in isolation successfully and meaningfully.(4) Extensible - The API should be extensible in well defined waysby application developers, not just JSR authors. The reasoning issimple - there are just far too many weird and wonderful ways tomanipulate time. A JSR cannot capture all of them, but an extensibleJSR design can allow for them to be added as required by applicationdevelopers or open source projects..."http://wiki.java.net/bin/view/Projects/DateTimeEDR1See also the InfoQueue article by Alex Blewitt and Charles Humble: http://www.infoq.com/news/2010/03/jsr-310

W3C XML Security Working Group Releases Four Working Drafts for Review

2010-03-18T07:30:00.001-07:00

Members of the W3C XML Security Working Group have published four WorkingDraft specifications for public review. This WG, along with the W3C WebSecurity Context Working Group, is part of the W3C XML Security Activity,and is chartered to to take the next step in developing the XML securityspecifications."XML Encryption Syntax and Processing Version 1.1" specifies "a processfor encrypting data and representing the result in XML. The data may bein a variety of formats, including octet streams and other unstructureddata, or structure data formats such as XML documents, an XML element,or XML element content. The result of encrypting data is an XML Encryptionelement which contains or references the cipher data""XML Security Algorithm Cross-Reference" is a W3C Note which "summarizesXML Security algorithm URI identifiers and the specifications associatedwith them. The various XML Security specifications have defined a numberof algorithms of various types, while allowing and expecting additionalalgorithms to be defined later. Over time, these identifiers have beendefined in a number of different specifications, including XML Signature,XML Encryption, RFCs and elsewhere. This makes it difficult for usersof the XML Security specifications to know whether and where a URI foran algorithm of interest has been defined, and can lead to the use ofincorrect URIs. The purpose of this Note is to collect the various knownURIs at the time of its publication and indicate the specifications inwhich they are defined in order to avoid confusion and errors... The noteindicates explicitly whether an algorithm is mandatory or recommended inother specifications. If nothing is said, then readers should assumethat support for the algorithms given is optional."The "XML Security Generic Hybrid Ciphers" Working Draft "augments XMLEncryption Version 1.1 by defining algorithms, XML types and elementsnecessary to enable use of generic hybrid ciphers in XML Securityapplications. Generic hybrid ciphers allow for a consistent treatmentof asymmetric ciphers when encrypting data and consist of a keyencapsulation algorithm with associated parameters and a dataencapsulation algorithm with associated parameters." Fourth, "XMLSecurity RELAX NG Schemas" serves to publish RELAX NG schemas for XMLSecurity specifications, including XML Signature 1.1 and XML SignatureProperties.http://www.w3.org/News/2010#entry-8749See also the W3C Web Security Context WG and XML Security WG: http://www.w3.org/Security/Activity

Document Format Standards and Patents

2010-03-17T09:30:00.004-07:00

Alex Brown, Blog
This post is part of an ongoing series. It expands on Item 9 of 'ReformingStandardisation in JTC 1', which proposed Ten Recommendations for Reform,and Item 9 was "Clarify intellectual property policies: InternationalStandards must have clearly stated IP policies, and avoid unacceptablepatent encumbrances."
Historically, patents have been a fraught topic with an uneasy co-existencewith standards. Perhaps (within JTC 1) one of the most notorious recentexamples surrounded the JPEG Standard and, in part prompted by suchproblems there are certainly many people of good will wanting bettermanagement of IP in standards. Judging by some recent development indocument format standardisation, it seems probable that this will be thearea where progress can next be made...
The Myth of Unencumbered Technology: Given the situation we are evidentlyin, it is clear that no technology is safe. The brazen claims ofcorporations, the lack of diligence by the US Patent Office, and thecapriciousness of courts means that any technology, at any time, maysuddenly become patent encumbered. Technical people - being logical andreasonable - often make the mistake of thinking the system is bound bylogic and reason; they assume that because they can see 'obvious' priorart, then it will apply; however as the case of the i4i patent vividlyillustrates, this is simply not so.
While the "broken stack" of patents is beyond repair by any singlestandards body, at the very least the correct application of the rulescan make the situation for users of document format standards moretransparent and certain. In the interests of making progess in thisdirection, it seems a number of points need addressing now. (1) Usersshould be aware that the various covenants and promises being pointed-toby the US vendors need not be relevant to them as regards standards use.Done properly, International Standardization can give a clearer andstronger guarantee of license availability -- without the caveats,interpretable points and exit strategies these vendors' documentsinvariably have. (2) In particular it should be of concern to NBs thatthere is no entry in JTC 1's patent database for OOXML (there is forDIS 29500, its precursor text, a ZRAND promise from Microsoft); thereis no entry whatsoever for ODF... (3) In the case of the i4i patent,one implementer has already commented that implementing CustomXML inits entirety may run the risk of infringement -- and this is probably,after all, why Microsoft patched Word in the field to remove someaspects of its CustomXML support).... (4) When declaring their patentsto JTC 1, patent holders are given an option whether to make a generaldeclaration about the patents that apply to a standard, or to make aparticular declaration about each and every itemized patent whichapplies. I believe NBs should be insisting that patent holder enumerateprecisely the patents they hold which they claim apply.. There isobviously much to do, and I am hoping that at the forthcoming SC 34meetings in Stockholm this work can begin...
http://www.adjb.net/post/Document-Format-Standards-and-Patents.aspxSee also article Part 1: http://www.adjb.net/post/Reforming-Standardisation-in-JTC-1-e28093-Part-1.aspx

Consensus Emerges for Key Web Application Standard

2010-03-17T09:30:00.003-07:00

"Browser makers, grappling with outmoded technology and a vision torebuild the Web as a foundation for applications, have begun convergingon a seemingly basic by very important element of cloud computing. Thatability is called local storage, and the new mechanism is calledIndexed DB. Indexed DB, proposed by Oracle and initially calledWebSimpleDB, is largely just a prototype at this stage, not somethingWeb programmers can use yet. But already it's won endorsements fromMicrosoft, Mozilla, and Google, and together, Internet Explorer, Firefox,and Chrome account for more than 90 percent of the usage on the Net today.
Standardization could come: advocates have worked Indexed DB into theconsiderations of the W3C, the World Wide Web Consortium thatstandardizes HTML and other Web technologies. In the W3C discussions,Indexed DB got a warm reception from Opera, the fifth-ranked browser.
It may sound perverse, but the ability to store data locally on a computerturns out to be a very important part of the Web application era that'sreally just getting under way. The whole idea behind cloud computing isto put applications on the network, liberating them from being tied toa particular computer, but it turns out that the computer still matters,because the network is neither fast nor ubiquitous. Local storage letsWeb programmers save data onto computers where it's convenient forprocessors to access. That can mean, for example, that some aspects ofGmail and Google Docs can work while you're disconnected from thenetwork. It also lets data be cached on the computer for quick accesslater. The overall state of the Web application is maintained on theserver, but stashing data locally can make cloud computing faster andmore reliable..."
An editor's draft of the W3C specification "Indexed Database API" isavailable online: " User agents need to store large numbers of objectslocally in order to satisfy off-line data requirements of Web applications.'Webs Storage' [10-September-2009 WD] is useful for storing pairs ofkeys and their corresponding values. However, it does not provide in-orderretrieval of keys, efficient searching over values, or storage ofduplicate values for a key. This specification provides a concrete APIto perform advanced key-value data management that is at the heart ofmost sophisticated query processors. It does so by using transactionaldatabases to store keys and their corresponding values (one or moreper key), and providing a means of traversing keys in a deterministicorder. This is often implemented through the use of persistent B-treedata structures that are considered efficient for insertion and deletionas well as in-order traversal of very large numbers of data records.
http://news.cnet.com/8301-30685_3-20000376-264.htmlSee also the latest editor's version for Indexed Database API: http://dev.w3.org/2006/webapi/WebSimpleDB/

IETF First Draft for Codec Requirements

2010-03-17T09:30:00.001-07:00

Members of the IETF Internet Wideband Audio Codec (CODEC) Working Grouphave released an initial level -00 Internet Draft specification for"Codec Requirements." Additional discussion (development process,evaluation, requirements conformance, intellectual property issues) isprovided in the draft for "Guidelines for the Codec Development Withinthe IETF." The IETF CODEC Working Group was formed recently to "toensure the existence of a single high-quality audio codec that isoptimized for use over the Internet and that can be widely implementedand easily distributed among application developers, service operators,and end users."
"According to reports from developers of Internet audio applicationsand operators of Internet audio services, there are no standardized,high-quality audio codecs that meet all of the following three conditions:(1) Are optimized for use in interactive Internet applications. (2) Arepublished by a recognized standards development organization (SDO) andtherefore subject to clear change control. (3) Can be widely implementedand easily distributed among application developers, service operators,and end users. According to application developers and service operators,an audio codec that meets all three of these would: enable protocoldesigners to more easily specify a mandatory-to-implement codec intheir protocols and thus improve interoperability; enable developersto more easily easily build innovative, interactive applications forthe Internet; enable service operators to more easily deploy affordable,high-quality audio services on the Internet; and enable end users ofInternet applications and services to enjoy an improved user experience.
The "Codec Requirements" specification provides requirements for an audiocodec designed specifically for use over the Internet. The requirementsattempt to address the needs of the most common Internet interactiveaudio transmission applications and to ensure good quality whenoperating in conditions that are typical for the Internet. Theserequirements address the quality, sampling rate, delay, bit-rate, andpacket loss robustness. Other desirable codec properties are consideredas well...
In-scope applications include: (1) Point to point calls -- where pointto point calls are voice over IP (VoIP) calls from two "standard" (fixedor mobile) phones, and implemented in hardware or software. (2)Conferencing, where conferencing applications that support multi-partycalls have additional requirements on top of the requirements forpoint-to-point calls; conferencing systems often have higher-fidelityaudio equipment and have greater network bandwidth available -- especiallywhen video transmission is involved. (3) Telepresence, where mosttelepresence applications can be considered to be essentially veryhigh-quality video-conferencing environments, so all of the conferencingrequirements also apply to telepresence. (4) Teleoperation, whereteleoperation applications are similar to telepresence, with theexception that they involve remote physical interactions. (5) In-gamevoice chat, where the requirements are similar to those of conferencing,with the main difference being that narrowband compatibility is notnecessary. (6) Live distributed music performances / Internet musiclessons, and other applications, where live music requires extremelylow end-to-end delay and is one of the most demanding application forinteractive audio transmission.
http://xml.coverpages.org/draft-ietf-codec-requirements-00.txtSee also the IETF Internet Wideband Audio Codec (CODEC) Working Group Charter: http://www.ietf.org/dyn/wg/charter/codec-charter.html

Don't Look Down: The Path to Cloud Computing is Still Missing a Few Steps

2010-03-17T09:29:00.000-07:00

This article narrates how government agencies are seeking to navigateissues of interoperability, data migrations, security, and standards inthe context of Cloud Computing. The government defines cloud computingas an on-demand model for network access, allowing users to tap into ashared pool of configurable computing resources, such as applications,networks, servers, storage and services, that can be rapidly provisionedand released with minimal management effort or service-provider interaction.
Momentum for cloud computing has been building during the past year,after the new [U.S.] administration trumpeted the approach as a way toderive greater efficiency and cost savings from information technologyinvestments. But the journey to cloud computing infrastructures willtake a few more years to unfold, federal CIOs and industry experts say.Issues of data portability among different cloud services, migration ofexisting data, security and the definition of standards for all of thoseareas are the missing rungs on the ladder to the clouds.
The Federal Cloud Computing Security Working Group, an interagencyinitiative, is working to develop the Government-Wide AuthorizationProgram (GAP), which will establish a standard set of security controlsand a common certification and accreditation program that will validatecloud computing providers...Cloud vendors need to implement multipleagency policies, which can translate into duplicative risk managementprocesses and lead to inconsistent application of federal securityrequirements.
At the user level, there are challenges associated with access controland identity management,according to Doug Bourgeois, director of theInterior Department's National Business Center.. Organizations mustextend their existing identity, access management, audit and monitoringstrategies into the cloud. However, the problem is that existingenterprise systems might not easily integrate with the cloud... An agencycannot transfer data from a public cloud provider, such as Amazon orGoogle, and put it in an infrastructure-as-a-service platform that aprivate cloud provider develops for the agency and then exchange thatdata with another type of cloud provider; that type of data transfer isdifficult because there are no overarching standards for operating in ahybrid environment...
http://gcn.com/articles/2010/03/15/cloud-computing-missing-steps.aspx

Implementing User Agent Accessibility Guidelines (UAAG) 2.0

2010-03-17T09:28:00.002-07:00

James Allan, Kelly Ford, Jeanne Spellman (eds), W3C Technical Report
Members of the W3C User Agent Accessibility Guidelines Working Grouphave published a First Public Working Draft for "Implementing UAAG 2.0:A Guide to Understanding and Implementing User Agent AccessibilityGuidelines 2.0" and an updated version of of the "User AgentAccessibility Guidelines (UAAG) 2.0" specification. Comments on thetwo documents should be sent to the W3C public list by 16-April-2010.
The "User Agent Accessibility Guidelines (UAAG) 2.0" specification ispart of a series of accessibility guidelines published by the W3C WebAccessibility Initiative (WAI). It provides guidelines for designinguser agents that lower barriers to Web accessibility for people withdisabilities. User agents include browsers and other types of softwarethat retrieve and render Web content. A user agent that conforms tothese guidelines will promote accessibility through its own userinterface and through other internal facilities, including its abilityto communicate with other technologies (especially assistive technologies).Furthermore, all users, not just users with disabilities, should findconforming user agents to be more usable.
In addition to helping developers of browsers and media players, thedocument will also benefit developers of assistive technologies becauseit explains what types of information and control an assistive technologymay expect from a conforming user agent. Technologies not addresseddirectly by this document (e.g., technologies for braille rendering)will be essential to ensuring Web access for some users with disabilities.
The Working Draft for "Implementing UAAG 2.0" provides supportinginformation for the User Agent Accessibility Guidelines (UAAG) 2.0. Thedocument provides explanation of the intent of UAAG 2.0 success criteria,examples of implementation of the guidelines, best practice recommendationsand additional resources for the guideline. It includes a new sectionsupporting the definition of a user agent.
http://www.w3.org/TR/2010/WD-IMPLEMENTING-UAAG20-20100311/See also the updated UAAG 2.0 specification: http://www.w3.org/TR/2010/WD-UAAG20-20100311/

IETF Internet Draft: Requirements for End-to-End Encryption in XMPP

2010-03-17T09:28:00.001-07:00

Members of the IETF Extensible Messaging and Presence Protocol (XMPP)Working Group have published an Internet Draft specifying "Requirementsfor End-to-End Encryption in the Extensible Messaging and PresenceProtocol (XMPP)." The Extensible Messaging and Presence Protocol isan open technology for real-time communication, which powers a widerange of applications including instant messaging, presence, multi-partychat, voice and video calls, collaboration, lightweight middleware,content syndication, and generalized routing of XML data.
XMPP technologies are typically deployed using a client-serverarchitecture. As a result, XMPP endpoints (often but not alwayscontrolled by human users) need to communicate through one or moreservers. For example, the user 'juliet@capulet.lit' connects to the'capulet.lit' server and the user 'romeo@montague.lit' connects to the'montague.lit' server, but in order for Juliet to send a message toRomeo the message will be routed over her client-to-server connectionwith capulet.lit, over a server-to-server connection between'capulet.lit' and 'montague.lit', and over Romeo's client-to-serverconnection with montague.lit. Although the XMPP-CORE specificationrequires support for Transport Layer Security to make it possible toencrypt all of these connections, when XMPP is deployed any of theseconnections might be unencrypted. Furthermore, even if theserver-to-server connection is encrypted and both of theclient-to-server connections are encrypted, the message would stillbe in the clear while processed by both the 'capulet.lit' and'montague.lit' servers.
Thus, end-to-end ('e2e') encryption of traffic sent over XMPP is adesirable goal. Since 1999, the Jabber/XMPP developer community hasexperimented with several such technologies, including OpenPGP, S/MIME,and encrypted sessions. More recently, the community has explored thepossibility of using Transport Layer Security (TLS) as the basetechnology for e2e encryption. In order to provide a foundation fordeciding on a sustainable approach to e2e encryption, this documentspecifies a set of requirements that the ideal technology would meet.
This specification primarily addresses communications security('commsec') between two parties, especially confidentiality, dataintegrity, and peer entity authentication. Communications security canbe subject to a variety of attacks, which RFC 3552 divides into passiveand active categories. In a passive attack, information is leaked(e.g., a passive attacker could read all of the messages that Julietsends to Romeo). In an active attack, the attacker can add, modify,or delete messages between the parties, thus disrupting communications...Ideally, any technology for end-to-end encryption in XMPP could beextended to cover any of: One-to-one communication sessions betweentwo 'online' entities, One-to-one messages that are not transferredin real time, One-to-many information broadcast, Many-to-manycommunication sessions among more than two entities. However, bothone-to-many broadcast and many-to-many sessions are deemed out-of-scopefor this document, and this document puts more weight on one-to-onecommunication sessions..."
http://xml.coverpages.org/draft-ietf-xmpp-e2e-requirements-01.txtSee also Cryptographic Key Management: http://xml.coverpages.org/keyManagement.html

StoneGate SSL VPN Virtual Solution Supports OVF, SAML 2.0, and ADFS

2010-03-14T10:32:00.000-07:00

"Stonesoft has introduced three new products designed to provide securemobile and remote access. This includes the new StoneGate SSL VPNVirtual solution, StoneGate SSL VPN 1.4 and StoneGate SSL-1060. TheStoneGate SSL VPN Virtual solution is based on the Open Virtual Format(OVF) standard and provides multiple features that meet the needs ofthese environments, such as strong authentication, a flexible applicationportal and support for Federation ID standards such as SAML 2.0 andADFS. The StoneGate SSL VPN Virtual Appliance is compatible with bothVMware's ESX/ESXi 3.5 and 4.0 (vSphere) versions.

The StoneGate SSL VPN Virtual solution complements the company'sStoneGate Virtual Firewall and Virtual IPS solutions for virtual andcloud computing environments. The new solution allows rapid deploymentand implementation of secure mobile access to cloud computing.

As cloud computing becomes more prevalent in corporate business andvirtualized data centers, there is a stronger need for secure accessto corporate applications in the cloud. The StoneGate SSL VPN Virtualsolution combines the need for granular access to the corporate weband legacy applications with the secure and authenticated profilingof users

The StoneGate SSL VPN 1.4 offers organizations enhanced securityprovided with integrated mobile authentication methods, granular accesscontrol and a holistic view of access rights within a single integratedaccess policy. Additionally, the appliance provides easy managementand administration of access control for all network users.Administrators can easily select the parameters, or a combination ofparameters, that will grant or deny the access to applications. Thisincludes sophisticated assessment and trace removal techniques toensure that corporate security standards are enforced at all timesfor mobile and roaming users..."

http://www.stonesoft.com/us/news_and_events/releases/2010/11032010.htmlSee also the OASIS SAML TC: http://www.oasis-open.org/committees/security/

Introduction to Pyjamas: Exploit the Synergy of GWT and Python

2010-03-14T10:31:00.002-07:00

Pyjamas is a cool tool, or framework, for developing AsynchronousJavaScript and XML (Ajax) applications in Python. It's a versatiletool that you can use to write comprehensive applications withoutwriting any JavaScript code. This series examines the myriad aspectsof Pyjamas, and this first article explores Pyjamas's background andbasic elements.

Google's Web Toolkit (GWT) lets you develop a Rich Internet Application(RIA) with Ajax, entirely in Java code. You can use the rich Java toolset(IDEs, refactoring, code completion, debuggers, and so on) to developapplications that can be deployed on all major Web browsers. With GWTyou can write applications that behave like desktop applications butrun in the browser. Pyjamas, a GWT port, is a tool and framework fordeveloping Ajax applications in Python.

WebKit, XUL, and their ilk bring modern flair to desktop applications.Pyjamas brings WebKit to Python developers. With Webkit, Pyjamas becomesa cross-browser and cross-platform set of GUI widgets. You can developwidgets that will run anywhere WebKit and XUL run. The Pyjamas API-basedapplication can live anywhere GWT applications would live. Plus, Pyjamaslets you write desktop applications built on top of WebKit and XUL.This is preferable to building applications on top of Qt or GTK becauseWebKit supports CSS, and it is used in many other places for reliablerendering (iPhone, Safari, Android, and so on).

With Pyjamas you create containers, then add widgets to the containers.The widgets can be labels, text fields, buttons, and so forth. Widgets,like buttons, have event handlers so you can listen for click eventsfrom the button..."
http://www.ibm.com/developerworks/web/library/wa-aj-pyjamas/

Dissecting the Consortium: A Uniquely Flexible Platform for Collaboration

2010-03-14T10:31:00.001-07:00

Andrew Updegrove, Standards Today Bulletin

"The opportunities and imperatives for collaborative action of all kindsamong both for-profit and non-profit entities are growing as the worldbecomes more interconnected and problem solving becomes less susceptibleto unilateral action. Those activities include research and development,information acquisition and sharing, group purchasing, open sourcesoftware and content creation, applying for government grant funding,and much more.
At the same time, the rapid spread of Internet and Web accessibility allowscollaborative activities to be undertaken more easily, and among morewidely distributed participants, than has ever been possible before. Butwhile the technology enabling collaboration has become ubiquitous,hard-won knowledge regarding best practices, successful governancestructures, and appropriate legal frameworks for forming and managingsuccessful collaborative activities has yet to be widely shared. As aresult, those wishing to launch new collaborative projects may havedifficulty finding reliable guidance in order to create structuresappropriate to support their activities.
In this article, I provide a list of attributes that define and functionsthat are common to consortia, an overview of how their activities aretypically staffed and supported, a comparative taxonomy of the existinglegal/governance structures that have been created to address them, andan overview of the legal concerns which consortium founders need toaddress...
Multiple forces in the world today are converging to increase the easeand raise the value of collaboration in both the public and privatesectors. Indeed, it is becoming increasingly common in business literatureto find the opinion expressed that companies that fail to collaboratewith their peers will be at a severe disadvantage to their more-willingcompetitors. In light of such opportunities, it is important for thefounders of new collaborative projects, and their legal counsel, to befamiliar with the types of frameworks available to serve as platformsfor their endeavors, and to choose wisely before launching theirinitiatives. Happily, the consortium model, in all of its variations,provides a uniquely flexible and appropriate foundation upon which thecollaborations of the future can be based..."
http://www.consortiuminfo.org/bulletins/jan10.php#feature

Expressing SNMP SMI Datatypes in XML Schema Definition Language

2010-03-14T10:29:00.000-07:00

Mark Ellison and Bob Natale (eds), IETF Internet Draft

Members of the IETF Operations and Management Area Working Group WorkingGroup have published a revised Internet Draft for "Expressing SNMP SMIDatatypes in XML Schema Definition Language." The memo defines the IETFstandard expression of Structure of Management Information (SMI) basedatatypes in Extensible Markup Language (XML) Schema Definition (XSD)language. The primary objective of this memo is to enable the productionof XML documents that are as faithful to the SMI as possible, using XSDas the validation mechanism.

Background: "Numerous use cases exist for expressing the managementinformation described by SMI Management Information Base (MIB) modulesin XML. Potential use cases reside both outside and within the traditionalIETF network management community. For example, developers of someXML-based management applications may want to incorporate the rich setof data models provided by MIB modules. Developers of other XML-basedmanagement applications may want to access MIB module instrumentationvia gateways to SNMP agents. Such applications benefit from the IETFstandard mapping of SMI datatypes to XML datatypes via XSD.

MIB modules use SMIv2 (RFC 2578) to describe data models. For legacyMIB modules, SMIv1 (RFC 1155) was used. MIB data conveyed in variablebindings ('varbinds') within protocol data units (PDUs) of SNMP messagesuse the primitive, base datatypes defined by the SMI. The SMI allowsfor the creation of derivative datatypes, 'textual conventions' ('TCs').A TC has a unique name, has a syntax that either refines or is a baseSMI datatype and has relatively precise application-level semantics.TCs facilitate correct application-level handling of MIB data, improvereadability of MIB modules by humans and support appropriate renderingsof MIB data.

Values in varbinds corresponding to MIB objects defined with TC syntaxare always encoded as the base SMI datatype underlying the TC syntax.Thus, the XSD mappings defined in this memo provide support for valuesof MIB objects defined with TC syntax as well as for values of MIB objectsdefined with base SMI syntax. Various independent schemes have beendevised for expressing SMI datatypes in XSD. These schemes exhibit adegree of commonality, especially concerning numeric SMI datatypes, butthese schemes also exhibit sufficient differences, especially concerningthe non-numeric SMI datatypes, precluding uniformity of expression andgeneral interoperability..."

http://xml.coverpages.org/draft-ietf-opsawg-smi-datatypes-in-xsd-06.txtSee also the IETF Operations and Management Area Working Group WG Status Pages: http://tools.ietf.org/wg/opsawg/

Proposed Recommendation Call for Review: XProc - An XML Pipeline Language

2010-03-14T10:27:00.002-07:00

Norman Walsh, Alex Milowski, Henry S. Thompson (eds), W3C PR

The W3C XML Processing Model Working Group has published a ProposedRecommendation for "XProc - An XML Pipeline Language", together with an"Implementation Report for XProc: An XML Pipeline Language." Given thatthe changes to this draft do not affect the validity of that earlierimplementation feedback, except in specific areas also now covered bymore recent implementation feedback, the Working Group is now publishingthis version as a Proposed Recommendation. The review period ends on15-April-2010; members of the public are invited to send comments onthis Proposed Recommendation to the 'public-xml-processing-model-comments'mailing list.

An XML Pipeline specifies a sequence of operations to be performed on acollection of XML input documents. Pipelines take zero or more XMLdocuments as their input and produce zero or more XML documents as theiroutput.

A pipeline consists of steps. Like pipelines, steps take zero or more XMLdocuments as their inputs and produce zero or more XML documents as theiroutputs. The inputs of a step come from the web, from the pipelinedocument, from the inputs to the pipeline itself, or from the outputs ofother steps in the pipeline. The outputs from a step are consumed byother steps, are outputs of the pipeline as a whole, or are discarded.There are three kinds of steps: atomic steps, compound steps, andmulti-container steps. Atomic steps carry out single operations and haveno substructure as far as the pipeline is concerned. Compound steps andmulti-container steps control the execution of other steps, which theyinclude in the form of one or more subpipelines.

The result of evaluating a pipeline (or subpipeline) is the result ofevaluating the steps that it contains, in an order consistent with theconnections between them. A pipeline must behave as if it evaluated eachstep each time it is encountered. Unless otherwise indicated,implementations must not assume that steps are functional (that is, thattheir outputs depend only on their inputs, options, and parameters) orside-effect free. The pattern of connections between steps will notalways completely determine their order of evaluation. The evaluationorder of steps not connected to one another is implementation-dependent...A typical step has zero or more inputs, from which it receives XMLdocuments to process, zero or more outputs, to which it sends XMLdocument results, and can have options and/or parameters. An atomicstep is a step that performs a unit of XML processing, such as XIncludeor transformation, and has no internal subpipeline. ] Atomic steps carryout fundamental XML operations and can perform arbitrary amounts ofcomputation, but they are indivisible. An XSLT step, for example,performs XSLT processing; a Validate with XML Schema step validates oneinput with respect to some set of XML Schemas, etc..."

http://www.w3.org/TR/2010/PR-xproc-20100309/See also the XProc Implementation Report: http://www.w3.org/XML/XProc/2010/02/ir.html

OASIS Blue Member Section: Open Standards for Smart Energy Grids

2010-03-14T10:27:00.001-07:00

OASIS has announced the formation of a new Member Section, OASIS Blue,which will bring together a variety of open standards projects relatedto energy, intelligent buildings, and natural resources. OASIS Blue willleverage the innovation of existing electronic commerce standards andthe power of the Internet to achieve meaningful sustainability. Aninternational effort, OASIS Blue incorporates work that has identifiedas a central deliverable for the U.S. government's strategic Smart Gridinitiative. OASIS Blue welcomes suggestions for forming new Committeesrelated to its mission.
The collaboration incoudes IBM, Constellation NewEnergy, CPower, EnerNOC,Grid Net, HP, NeuStar, TIBCO, U.S. Department of Defense, U.S. NationalInstitute of Standards and Technology (NIST), and others.
Several Technical Committees will coordinate efforts under OASIS Blue.The Energy Interoperation Technical Committee defines standards for thecollaborative and transactive use of energy within demand response anddistributed energy resources. The Energy Market Information Exchange(eMIX) Technical Committee works on exchanging pricing information andproduct definitions in energy markets. The Open Building InformationExchange (oBIX) Technical Committee enables mechanical and electricalcontrol systems in buildings to communicate with enterprise applications.Members of the oBIX TC plan to use the WS-Calendar specification tocoordinate control system performance expectations with enterprise andsmart grid activities.
David Chassin of Pacific Northwest National Laboratory, chair of theOASIS Blue Steering Committee: "OASIS Blue provides a safe, neutralenvironment where stakeholders can cooperate to define clear taxonomiesand information-sharing protocols that will be recognized by theinternational standards community." Other OASIS Blue Steering Committeemembers include Steven Bushby of NIST, Bob Dolin of Echelon, Rik Drummondof the Drummond Group, Girish Ghatikar of Lawrence Berkeley NationalLaboratory, Francois Jammes of Schneider Electric, Arnaud Martens ofBelgian SPF Finances, Dana K. "Deke" Smith of buildingSMART alliance,and Jane L. Snowdon, Ph.D., of IBM.

IETF Internet Draft: Security Requirements for HTTP

2010-03-14T10:26:00.001-07:00

Jeff Hodges and Barry Leiba (eds), IETF Internet Draft

An updated version of the IETF Informational Internet Draft has beenpublished docmenting "Security Requirements for HTTP." Recent InternetEngineering Steering Group (IESG) practice dictates that IETF protocolsmust specify mandatory-to-implement (MTI) security mechanisms, so thatall conformant implementations share a common baseline. This documentexamines all widely deployed HTTP security technologies, and analyzesthe trade-offs of each. The document examines the effects of applyingsecurity constraints to Web applications, documents the properties thatresult from each method, and will make Best Current Practicerecommendations for HTTP security in a later document version.
Some existing HTTP Security Mechanisms include: Forms And Cookies, HTTPAccess Authentication [Basic Authentication, Digest Authentication,Authentication Using Certificates in TLS, Other Access AuthenticationSchemes, Centrally-Issued Tickets, and Web Services security mechanisms.In addition to using TLS for client and/or server authentication, itis also very commonly used to protect the confidentiality and integrityof the HTTP session. For instance, both HTTP Basic authentication andCookies are often protected against snooping by TLS. It should be notedthat, in that case, TLS does not protect against a breach of thecredential store at the server or against a keylogger or phishinginterface at the client. TLS does not change the fact that BasicAuthentication passwords are reusable and does not address that weakness.
Is is possible that HTTP will be revised in the future. "HTTP/1.1" (RFC2616) and "Use and Interpretation of HTTP Version Numbers" (RFC 2145)define conformance requirements in relation to version numbers. In HTTP1.1, all authentication mechanisms are optional, and no single transportsubstrate is specified. Any HTTP revision that adds a mandatory securitymechanism or transport substrate will have to increment the HTTP versionnumber appropriately. All widely used schemes are non-standard and/orproprietary..."

Elastic Provisioning in the Cloud: Terracotta and Eucalyptus Integration

2010-03-14T10:25:00.000-07:00

"Terracotta recently announced a partnership with open source privatecloud platform vendor Eucalyptus that allows the companies to provisionprivate clouds on the Amazon AWS-compatible Eucalyptus cloud platformand take advantage of the elasticity and flexibility of the cloud.
Eucalyptus is compatible with the Amazon AWS public cloud infrastructureand its design gives users the option of moving applications fromon-premise Eucalyptus clouds to public clouds, and vice versa. It alsosupports 'hybrid' clouds allowing a composite of private (generally usedto store private data) and public (provided by cloud service providersto offer customers the ability to deploy and consume services) cloudresources together to get the benefits of both deployment models. Byaddressing the data layer and to provision elastic cloud resourceswithin internal infrastructure, Eucalyptus and Terracotta integrationgives the organizations a way to build private clouds using commodityhardware and the virtualization technology."
Excerpts from comments of Ari Zilka (Terracotta) and Rich Wolsk(Eucalyptus): "We have both seen the need for the combined feature setwe offer in a number of customer engagements, so working together madea lot of sense. Eucalyptus provides the provisioning and managementframework for building and operating private clouds, and Terracottaensures application data can elastically scale to meet the demands ofthis dynamically configured compute tier. The products are verycomplementary...
Developers using Eucalyptus as a cloud platform can immediately use theTerracotta scaling and caching frameworks to quickly build scalableweb sites and Java applications, and deploy those applications to eitherEucalyptus or to Amazon AWS. Developers already using Terracotta inAmazon's cloud can bring those applications and sites into aEucalyptus-managed an on-premise cloud within their own data center..."

Anatomy of an Open Source Cloud: Infrastructure as a Service

2010-03-14T10:24:00.002-07:00

Cloud computing is no longer a technology on the cusp of breaking outbut a valuable and important technology that is fundamentally changingthe way we use and develop applications. Volumes could be written aboutthe leadership role that open source is playing in the cloud andvirtualization domain, but this article provided a short introductionto some of the popular and visible solutions available today. Whetheryou're looking to build a cloud based on your own requirements fromindividual pieces or simply want a cohesive solution that works out ofthe box, open source has you covered.
This article begins with an exploration of the core abstractions ofcloud architectures (from Infrastructure as a Service IaaS), thenmoves beyond the building blocks to the more highly integratedsolutions. Although not a requirement, virtualization provides uniquebenefits for building dynamically scalable architectures. In additionto scalability, virtualization introduces the ability to migrate virtualmachines (VMs) between physical servers for the purposes of loadbalancing. The virtualization component is provided by a layer ofsoftware called a hypervisor (sometimes called a virtual machinemonitor - VMM). This layer provides the ability to execute multipleoperating systems (and their applications) simultaneously on a singlephysical machine. On the hypervisor is an object called a virtual machinethat encapsulates the operating system, applications, and configuration.Optionally, device emulation can be provided in the hypervisor or as aVM. Finally, given the new dynamic nature of virtualization and the newcapabilities it provides, new management schemes are needed. Thismanagement is best done in layers, considering local management at theserver, as well as higher-level infrastructure management, providingthe overall orchestration of the virtual environment.
As VMs are an aggregation of operating system, root file system, andconfiguration, the space is ripe for tool development. But to realizethe full potential of VMs and tools, there must be a portable way toassemble them. The current approach, called the Open VirtualizationFormat (OVF) is a VM construction that is flexible, efficient, andportable. OVF wraps a virtual disk image in an XML wrapper that definesthe configuration of the VM, including networking configuration,processor and memory requirements, and a variety of extensible metadatato further define the image and its platform needs. The key capabilityprovided by OVF is the portability to distribute VMs in ahypervisor-agnostic manner..."

W3C Launches Decisions and Decision-Making Incubator Group

2010-03-14T10:24:00.001-07:00

"W3C is pleased to announce the creation of the Decisions and Decision-Making Incubator Group. The mission of this XG is to determine therequirements, use cases, and a representation of decisions anddecision-making in a collaborative and networked environment suitablefor leading to a potential standard for decision exchange, sharedsituational awareness, and measurement of the speed, effectiveness,and human factors of decision-making. Incubator Activity work is noton the W3C standards track but in many cases serves as a starting pointfor a future Working Group. The following W3C Members have sponsoredthe charter for this group: DISA, MITRE, and CNR. Jeff Waters and DonMcGarry are the initial Decisions and Decision-Making Incubator Groupco-Chairs.
Background: "Everyone makes important decisions in the dailyaccomplishment of their duties. The aggregate of these decisionsconstitutes the current state of their organization, and charts thecourse for our future direction and progress. In a sense, ourdecisions represent individuals and the organizations they represent.The effective representation, management, evaluation, and sharing ofthese decisions determines the success of the enterprise. Especiallyin a distributed, self-organizing, networked environment where digitalmedia are the main interaction between members, distribution andtracking of decisions is particularly important for understandingwhat others are doing. Our decisions serve as information-work products;both as inputs and outputs. We use others decisions as references andour decisions become references to the decision process of others.The significant time and effort we spend converting our decisionsinto work products such as briefs, papers, proposals, and communicationof our decisions in meetings, teleconferences, conversations, andemails, could be recaptured if we had a standard concise format forrepresenting and sharing our decisions.
For these reasons, the members of the Decisions and Decision-MakingIncubator are exploring and determining the requirements, use cases,and a potential standard format for representing our decisionsefficiently and effectively in a collaborative networked environmentfor the purpose of information exchange for situational awareness.The Emergency Data Exchange Language Common Alerting Protocol (EDXL-CAP)family of standards is an example of the type and style of informationexchange formats which are simple, useful, and understandable. WhatEDXL-CAP did for alerts, a common decision exchange protocol shoulddo for decisions. However, to reach its full potential, the proposeddecision format must be extended by the Semantic Web tools andstandards to provide semantic interoperability and to provide a basisfor reasoning that can ease development of advanced applications.Simplicity and understandability of decisions is particularly importantin distributed, dynamic settings such as emergency management.
The group will maintain a wiki site containing relevant information.The deliverables will be a final report, a potential standard ontology,examples, and potentially prototype tools using the ontology. Thevision of the final report outline includes: introduction, backgroundand need, scope, use cases, requirements, issues and challenges,ontological patterns & solutions, sample decision ontology, representationformats, examples, candidate tools for instrumentation, examples,recommendations, and conclusion. In case the group decides that aparticular technology is ripe for further standardization at the W3C,the group will consider preparing a W3C member submission and/or proposea W3C group charter to be considered by the W3C.

OGC Announces Earth Observation Profile for Web-based Catalogue Services

2010-03-12T22:02:00.001-08:00

Open Geospatial Consortium Announcement

The Open Geospatial Consortium has announced adoption and availability
of the "OGC Catalogue Services Standard Extension Package for ebRIM
Application Profile: Earth Observation Products", and also the related
"Geography Markup Language (GML) Application Schema for EO Products."
Together, these standards, when implemented, will enable more efficient
data publishing and discovery for a wide range of stakeholders who
provide and use data generated by satellite-borne and aerial radar,
optical and atmospheric sensors.

The OASIS standard ebRIM (Electronic business Registry Information Model)
is the preferred cataloguing metamodel foundation for application
profiles of the OpenGIS Catalogue Service Web (CS-W) Standard. The CS-W
ebRIM EO standard describes a set of interfaces, bindings and encodings
to be implemented in catalog servers so that data providers can publish
descriptive information (metadata) about Earth Observation data. Developers
can also implement this standard as part of Web clients that will enable
data users and their applications to very efficiently search and exploit
these collections of Earth Observation data.

"OGC Catalogue Services Standard 2.0 Extension Package for ebRIM
Application Profile: Earth Observation Products" (OGC 06-131r6) is an
OGC Implementation Standard of subtype Application Profile. This
application profile standard "describes the interfaces, bindings and
encodings required to discover, search and present metadata from
catalogues of Earth Observation products. The profile presents a
minimum specification for catalogue interoperability within the EO
domain, with extensions for specific classes of data. It enables
CSW-ebRIM catalogues to handle a variety of metadata pertaining to
earth observation, like EO Products... EO data product collections
are usually structured to describe data products derived from a single
sensor onboard a satellite or series of satellites. Products from
different classes of sensors usually require specific product metadata.
The following classes of products have been identified so far: radar,
optical, atmospheric."

"OpenGIS Geography Markup Language (GML) Application Schema for Earth
Observation Products" (0GC 06-080r4) is an OGC Implementation Standard
of subtype GML Application Schema. It "describes the encodings required
to describe Earth Observation (EO) products from general to mission
specific characteristics. The approach consists in modelling EO data
product through a GML application schema.ISO definitions are
specified for attributes where available, although not the full ISO
schema is used for the structural definitions, which would lead to a
less efficient overall structure. The general mechanism is to create
a schema with a dedicated namespace for each level of specificity
from a general description which is common to each EO Product to a
restricted description for specific mission EO Product. Each level
of specificity is an extension of the previous one..."

IETF Publishes xCal: The XML Format for iCalendar

2010-03-12T22:00:00.000-08:00

Cyrus Daboo, Mike Douglass, and Steven Lees (eds), IETF Internet Draft

An IETF Internet Draft previously published under the title "iCalendar
XML Representation" has been revised and issued under the new title
"xCal: The XML Format for iCalendar." An added Section 5 (Handling
Link Elements in XML and iCal) now recommends a preferred format for
links in xCal documents, specifies an iCalendar extension for including
links in iCalendar documents, and describes how to convert between the
two formats.

"The iCalendar data format defined in IETF RFC 5545 is a widely deployed
interchange format for calendaring and scheduling data. While many
applications and services consume and generate calendar data, iCalendar
is a specialized format that requires its own parser/generator. In
contrast, XML-based formats are widely used for interoperability between
applications, and the many tools that generate, parse, and manipulate
XML make it easier to work with than iCalendar.

The purpose of this specification is to define 'xCal', an XML format
that allows iCalendar data to be converted to XML, and then back to
iCalendar, without losing any semantic meaning in the data. Anyone
creating XML calendar data according to this specification will know
that their data can be converted to a valid iCalendar representation
as well. Two key design considerations are: (1) Round-tripping
(converting an iCalendar instance to XML and back) will give the same
result as the starting point. (2) Preserving the semantics of the
iCalendar data. While a simple consumer can easily browse the calendar
data in XML, a full understanding of iCalendar is still required in
order to modify and/or fully comprehend the calendar data.

Handling Link Elements in XML and iCal: Both Atom (RFC 4287) and HTML
use a link element to reference external information which is related
in some way to the referencing document. iCalendar (RFC 5545) does not
have such a mechanism. There are several common use cases where it would
be useful for a calendar item to link to external structured data. For
instance, it would be useful for an event item to denote the location
of the event by referencing a vCard. Similarly, there may be a primary
contact person for the event, and that person's vCard should be linked
from the event as well. It is recommended therefore that calendar data
in the xCal format use the Atom link element, as specified in RFC 5545
section 4.2.7, for linking to external related resources. The Relation
Name 'location' designates a location for the referencing item. Typically
the location will be in the form of a vCard, but it could be some other
kind of document containing location information... A LINK extension
property for iCalendar is used to reference external documents related
to this calendar item. The property can appear on any iCalendar component,
and the value of this property is a URI which references an external
resource related to the component. Since the LINK parameter is specified
in terms of the link element defined by RFC 5545, converting between
the two is straightforward. When converting from iCalendar to xCal,
simply take any parameters present and assign their values to the
corresponding attribute on the link element. Any unknown extensions
either in the iCalendar or xCal format MAY be ignored when converting
to the other format..." More Detail

NIST Publishes Open Vulnerability and Assessment Language (OVAL)

2010-03-12T21:59:00.000-08:00

John Banghart, Stephen Quinn, David Waltermire (eds), NIST Report

An announcement from Pat O'Reilly of NIST's Computer Security Division
reports on the publication of a Draft NIST Interagency Report (IR)
7669: "Open Vulnerability and Assessment Language (OVAL) Validation
Program Test Requirements." The report defines the requirements and
associated test procedures necessary for products to achieve one or
more Open Vulnerability and Assessment Language (OVAL) Validations.
Validation is awarded based on testing a defined set of OVAL
capabilities by independent laboratories that have been accredited
for OVAL testing by the NIST National Voluntary Laboratory
Accreditation Program (NVLAP).

Open Vulnerability and Assessment Language (OVAL) is an information
security community standard to promote open and publicly available
security content, and to standardize the transfer of this information
across security tools and services. The OVAL Language is an XML
specification for exchanging technical details on how to check systems
for security-related software flaws, configuration issues, and patches.

The OVAL Language standardizes the three main steps of the assessment
process: representing configuration information of systems for testing;
analyzing the system for the presence of the specified machine state
(vulnerability, configuration, patch state, etc.); and reporting the
results of the assessment. In this way, OVAL enables open and publicly
available security content and standardizes the transfer of this content
across the entire spectrum of information security tools and services.
OVAL is maintained by the MITRE Corporation...

The NIST OVAL Validation Program is designed to test the ability of
products to use the features and functionality defined in the OVAL
Language. An information technology (IT) product vendor can obtain
one or more OVAL Validations for a product. These validations are
based on the test requirements defined in this document, which cover
four distinct but related validations based on product functionality..." more detail

W3C Last Call Review for Web Security Context: User Interface Guidelines

2010-03-12T21:57:00.000-08:00

Thomas Roessler and Anil Saldhana (eds), W3C Technical Report

Members of the W3C Web Security Context Working Group have published a
Last Call Working Draft for "Web Security Context: User Interface
Guidelines." The specification defines guidelines and requirements for
the presentation and communication of Web security context information
to end-users. Publication of this Last Call Working Draft follows the
22-December-2009 Candidate Recommendation of this specification; changes
are based on implementer feedback. A diff document details those changes.
The purpose of this Last Call is to solicit community comment on these
specific changes. The Working Group anticipates to request transition
to Proposed Recommendation once this final Last Call is successfully
concluded.

"The Working Group aims to demonstrate and test the WG's recommendations
on usable and robust communication of security context information
through implementations within the framework of one or more web user
agents. The most likely web user agents to serve as platforms for such
implementations are web browsers. To demonstrate that recommendations
are sufficiently general and interoperable, we expect implementation
in the context of at least two web user agents. We are targetting three
types of testing of our recommendations: functional testing, robustness
testing, and usability testing... All test development and testing is
iterative. The recommendations may need to be modified on the basis of
all three types of testing... Functional testing against the sample code
and appropriate deployment configurations will verify that the
recommendations can be translated to web user agent code, with no
functional ill effects on the rest of the web user agent. Robustness
testing will verify that the recommendations are robust against spoofing
attacks. Usability testing will verify that the recommendations provide
usable display of security context information...."

Overview: "Web user agents are now used to engage in a great variety and
number of commercial and personal activities. Though the medium for
these activities has changed, the potential for fraud has not. This
Working Group is chartered to recommend user interfaces that help users
make trust decisions on the Web. In-scope categories of technology and
information include: (1) Web interactions: user interactions on the Web,
using the HTTP and HTTPS protocols, where Web interactions involve other
application-level protocols, including, e.g., SOAP or FTP; (2) User
agents: a user agent is software to access Web content, including desktop
graphical browsers, text browsers, voice browsers, mobile phones,
multimedia players, plug-ins, and some software assistive technologies
used in conjunction with browsers such as screen readers, screen
magnifiers, and voice recognition software; (3) Entity identification,
where a web browsing session is like a conversation, where the user
converses with various entities, some known, and others newly encountered,
and each resource the user interacts with is identified by a URI. (4)
Third-party recommendation; (5) Historical browsing information...

The goal of this Working Group is to enable users to come to a better
understanding of the context that they are operating in when making
trust decisions on the Web; e.g., giving up passwords or other sensitive
information to possibly malicious sites... Current Web user agents
communicate only a small portion of available security context information
to users in a way that is easily perceived and understood. Other context
information that might be available to user agents and possibly helpful
to users is either not presented, or presented in a way that is not
understood by users, and hence useless or confusing. This information
ranges from logotypes and company names and addresses that might be
present in PKI certificates, to the user agent's memory of past
activities..." more detail

OASIS Opens Public Review for Test Assertions v1.0 Specifications

2010-03-12T21:56:00.001-08:00

Stephen Green and Dmitry Kostovarov (eds), OASIS Committee Drafts

Members of the OASIS Test Assertions Guidelines (TAG) Technical Committee
have released three approved Committee Draft specifications for public
review through May 09, 2010. This OASIS TC was chartered in April 2007
in to "facilitate the creation and usage of test assertions by any group
involved in designing a specification or standard of which software
implementations are expected to be developed, with a primary focus on
OASIS technical committees. The first step in achieving this is to
establish a common and reusable model, metadata, methodology and
representation for TAs (test assertions).

"Test Assertions Part 1 - Test Assertions Model Version 1.0" specifies
"mandatory and optional components of a test assertion model. A test
assertion is a testable or measurable expression for evaluating the
adherence of part of an implementation to a normative statement in a
specification. It describes the expected output or behavior for the
test assertion target within specific operation conditions, in a way
that can be measured or tested. A Test Assertion should not be confused
with a Conformance Clause, nor with a Test Case... Test assertions
may help provide a tighter specification: Any ambiguities,
contradictions and statements which require excessive resources for
testing can be noted as they become apparent during test assertion
creation. If there is still an opportunity to correct or improve the
specification, these notes can be the basis of comments to the
specification authors. If not developed by the specification authors,
test assertions should be reviewed and approved by them which will
improve both the quality and time-to-deployment of the specification...
Test assertions provide a starting point for writing a conformance
test suite or an interoperability test suite for a specification that
can be used during implementation. They simplify the distribution of
the test development effort between different organizations while
maintaining consistent test quality."

"Test Assertions Part 2 - Test Assertion Markup Language Version 1.0"
defines a markup for writing test assertions, where Section 3 presents
the corresponding XML Schema for the vocabulary. Key markup language
elements include testAssertion, normativeSource (precise specification
requirements or normative statements that the test assertion addresses),
target (the implementation or part of an implementation that is the
object of a test assertion or test case, categorizing an implementation
or a part of an implementation of the referred specification, whether
a specific item or a category of items), prerequisite, predicate,
prescription, description, tag, var, report. etc.

"Test Assertions Guidelines" provides "guidelines and best practices
for writing test assertions along with mandatory and optional components
of a test assertion model. Its purpose is to help the reader understand
what test assertions are, their benefits, and most importantly, how
they are created. As you will discover, test assertions can be an
important and useful tool in promoting the quality of specifications,
test suites and implementations of specifications. You will learn that
there are many ways to create test assertions. By following the
guidelines in this document, you will learn how to develop well-defined
test assertions that can have useful purposes and applications such as
the starting point for a conformance test suite for a specification.
Experiences in developing test assertions will be shared, along with
lessons learned, helpful tricks and tools, hazards to avoid, and other
knowledge that may be helpful in crafting test assertions. This document
is limited to the essentials of test assertions..."

Windows Domain to Amazon EC2 Single Sign-On Access Solutions

2010-01-23T01:44:00.001-08:00

David Chappell, the Principal of Chappell & Associates, US, has writtena whitepaper proposing several solutions for Single Sign-on (SSO) accessto applications deployed on Amazon EC2 from a Windows domain. InfoQexplored these solutions to understand what the benefits and tradeoffseach one presented.
The paper is: "Connecting to the Cloud: Providing Single Sign-On toAmazon EC2 Applications from an On-Premises Windows Domain." Excerpt:"Users hate having multiple passwords. Help desks hate multiple passwordstoo, since users forget them. Even IT operations people hate them,because managing and synchronizing multiple passwords is expensive andproblematic. Providing single sign-on (SSO) lets users log in just once,then access many applications without needing to enter more passwords.It can also make organizations more secure by reducing the number ofpasswords that must be maintained. And for vendors of Software as aService (SaaS), SSO can make their applications more attractive by lettingusers access them with less effort...
With the emergence of cloud platforms, new SSO challenges have appeared.For example, Amazon Web Services (AWS) provides the Amazon ElasticCompute Cloud (Amazon EC2). This technology lets a customer create AmazonMachine Images (AMIs) containing an operating system, applications, andmore. The customer can then launch instances of those AMIs (virtualmachines) to run applications on the Amazon cloud. Similarly, Microsoftprovides Windows Azure, which lets customers run Windows applications onMicrosoft's cloud. When an application running on a cloud platform needsto be accessed by a user in an on-premises Windows domain, giving thatuser single sign-on makes sense. Fortunately, there are several waysto do this..."
"SSO is an important feature to have when the number of on-premises andInternet accounts created by users grow to large numbers, making thetask of administering them increasingly difficult. This will likelyresult in more requests to software vendors for SSO support/solutionssince these make the users' lives simpler and reduce administration costs..."
http://www.infoq.com/news/2010/01/Windows-EC2-Single-Sign-OnSee also the white paper: http://download.microsoft.com/download/6/C/2/6C2DBA25-C4D3-474B-8977-E7D296FBFE71/EC2-Windows%20SSO%20v1%200--Chappell.pdf

W3C Invites Implementations of W3C XSD Component Designators

2010-01-23T01:43:00.002-08:00

Members of the W3C XML Schema Working Group now invite implementationof the Candidate Recommendation specification "W3C XML Schema DefinitionLanguage (XSD): Component Designators." The Candidate Recommendationreview period for this document extends until 1-March-2010. Comments onthis document should be made in W3C's public installation of Bugzilla,specifying 'XML Schema' as the product.
A test suite is under development that identifies the set of canonicalschema component paths that should be generated for particular testschemas, and that relates certain non-canonical component paths to thecorresponding canonical schema component paths. The W3C XML SchemaWorking Group has agreed on the following specific CR exit criteria:(1) A test suite is available which provides cases for each axis andcomponent type, both for the XML Schema 1.0 component model and the XMLSchema 1.1 component model. (2) Generation or interpretation of canonicalschema component paths have been implemented successfully by at leasttwo independent implementations. (3) Generation or interpretation ofeach axis and component for non-canonical schema component paths hasbeen implemented successfully by at least two independent implementations.(4) The Working Group has responded formally to all issues raisedagainst this document during the Candidate Recommendation period.
"XML Schema: Component Designators" defines a scheme for identifying XMLSchema components as specified by 'XML Schema Part 1: Structures' and'XML Schema Part 2: Datatypes'. Part 1 of the W3C XML Schema DefinitionLanguage (XSD) recommendation defines these schema components, whereSection 2.2 lays out the inventory of schema components into three classes:(a) Primary components: simple and complex type definitions, attributedeclarations, and element declarations (b) Secondary components: attributeand model group definitions, identity-constraint definitions, and notationdeclarations (c) "Helper" components: annotations, model groups, particles,wildcards, and attribute uses In addition there is a master schemacomponent, the schema component representing the schema as a whole..."
http://www.w3.org/TR/2010/CR-xmlschema-ref-20100119/See also the W3C XML Schema Working Group: http://www.w3.org/XML/Schema

Principles for Standardized REST Authentication

2010-01-23T01:43:00.001-08:00

"Working with the programming APIs for cloud providers and SaaS vendorshas taught me two things: (i) There are very few truly RESTfulprogramming APIs. (ii) Everyone feels the need to write a customauthentication protocol. I've programmed against more web servicesinterfaces than I can remember. In the last month alone, I've writtento web services APIs for Aria, AWS, enStratus, GoGrid, the RackspaceCloud, VMOps, Xero, and Zendesk. Each one requires a differentauthentication mechanism. Two of them (Aria and AWS) defy all logic andrequire different authentication mechanisms for different parts of theirrespective APIs. Let's end this here and now...
Here's a set of standards that I think should be in place for any RESTauthentication scheme. Here's the summary: (1) All REST API calls musttake place over HTTPS with a certificate signed by a trusted CA. Allclients must validate the certificate before interacting with the server.(2) All REST API calls should occur through dedicated API keys consistingof an identifying component and a shared, private secret. Systems mustallow a given customer to have multiple active API keys and de-activateindividual keys easily. (3) All REST queries must be authenticated bysigning the query parameters sorted in lower-case, alphabetical orderusing the private credential as the signing token. Signing should occurbefore URL encoding the query string...
This is a battle I know I am going to lose. After all, people stillcan't settle on being truly RESTful (just look at the AWS EC2 monstrosityof an API). Authentication is almost certainly a secondary consideration.If you are reading this post and just don't want to listen to mysuggestions, I plead with you to follow someone else's example and notroll your own authentication scheme..."
Dilip Krishnan (Blog 'RESTful API Authentication Schemes') provides asummary and encourages readers to weigh in on the recommendations.

http://broadcast.oreilly.com/2009/12/principles-for-standardized-rest-authentication.htmlSee also Dilip Krishnan: http://www.infoq.com/news/2010/01/rest-api-authentication-schemes

Call for Participation: W3C Workshop on the Next Steps for RDF

2010-01-23T01:42:00.001-08:00

W3C is organizing a Workshop on the Next Steps for RDF around June,2010 as described in the Call for Participation. The deadline forposition papers is 29-March-2010. Each participant in the workshop mustbe associated with a position paper. W3C membership is not requiredto participate in the Workshop.

The goal of the workshop is to gather feedback from the Web communityon whether and, if yes, in which direction RDF should evolve. One ofthe main issues the Workshop should help deciding is whether it istimely for W3C to start a new RDF Working Group to define and standardizea next version of RDF.

While a new version of RDF may include changes in terms of features,semantics, and serialization syntax(es), backward compatibility is ofa paramount importance. Indeed, RDF has been deployed by tools andapplications, and the last few years have seen a significant uptake ofSemantic Web technologies and publication of billions of triples stemmingfrom public databases (see, eg, the Linked Open Data community). Itwould be, therefore, detrimental to this evolution if RDF was seen asunstable and if the validity of current application would be jeopardizedby a future evolution. As a consequence, with any changes of RDF,backward compatibility requirements should be formalized..."

Background: "The Resource Description Framework (RDF), including thegeneral concepts, its semantics, and an XML Serialization (RDF/XML),have been published in 2004. Since then, RDF has become the corearchitectural block of the Semantic Web, with a significant deploymentin terms of tools and applications. As a result of the R&D activitiesand the publication of newer standards like SPARQL, OWL, POWDER, orSKOS, but also due to the large scale deployment and applications, anumber of issues regarding RDF came to the fore. Some of those arerelated to features that are not present in the current version of RDFbut which became necessary in practice (e.g., the concept of NamedGraphs). Others result from the difficulties caused by the designdecisions taken in the course of defining the 2004 version of RDF (e.g.,restrictions whereby literals cannot appear as subjects). Definitionof newer standards have also revealed difficulties when applying thesemantics of RDF (e.g., the exact semantics of blank nodes for RIF andOWL, or the missing connection between URI-s and the RDF resourcesnamed by those URI-s for POWDER). New serializations formats (e.g., Turtle)have gained a significant support by the community, while thecomplications in RDF/XML syntax have created some difficulties in practiceas well as in the acceptance of RDF by a larger Web community. Finally,at present there is no standard programming API to manage RDF data;the need may arise to define such a standard either in a general,programming language independent way or for some of the importantlanguages (Javascript/ECMAscript, Java, Python, etc)..." More Info

Earth Observation Application Profile for OGC Catalogue Services

2010-01-23T01:40:00.000-08:00

The Open Geospatial Consortium (OGC) has announced adoption andavailability of the "OGC EarthObservation (EO) Application Profile for the OGC Catalogue Services -- (CSW) Specification" Version 2.0.2. The EO-CSW standard will benefit a wide range of stakeholders involved in the provision and use of datagenerated by satellite-borne and aerial radar, optical and atmosphericsensors.

The EO-CSW standard describes a set of interfaces, bindings andencodings that can be implemented in catalog servers that dataproviders will use to publish collections of descriptive information(metadata) about Earth Observation data and services. Developers canalso implement this standard as part of Web clients that enable datausers and their applications to very efficiently search and exploitthese collections of Earth Observation data and services.

This specification is part of a set that describe services for managingEarth Observation (EO) data products. The services include collectionlevel, and product level catalogues, online-ordering for existing andfuture products, on-line access etc. These services are put intocontext in an overall document 'Best Practices for EO Products'. Theservices proposed are intended to support the identification (EO) dataproducts from previously identified data collections. In other words,the search and present of metadata from catalogues of EO data products.

The intent of the profile is to describe a cost effective interfacethat can be supported by many data providers (satellite operators,data distributors...), most of whom have existing (and relatively complex)facilities for the management of these data. The strategy is to reuseas far as possible the SOAP binding defined in the ISO ApplicationProfile, except the schemas defining the information model. To achievea cost effective interface, some choices will be limited by textualcomments. EO data product collections are usually structured to describedata products derived from a single sensor onboard a satellite or seriesof satellites. Products from different classes of sensors usually requirespecific product metadata. The following classes of products have beenidentified so far: radar, optical, atmospheric. The proposed approachis to identify a common set of elements grouped in a common (HMA)schema and extend this common schema to add the sensors specific metadata. More Info

W3C First Public Working Draft for Contacts API Specification

2010-01-23T01:39:00.000-08:00

Members of the W3C Device APIs and Policy Working Group have publisheda First Public Working Draft for "The Contacts API" specification. Itdefines an API that provides access to a user's unified address book.
The API has been designed to meet requirements and use cases specifiedin the draft. Use cases: (1) Upload a set of contact details to a user'ssocial network; (2) Download a set of contact details from a user'ssocial network; (3) A user would like to keep their work address bookand personal address book seperate; (4) A user maintains a singleunified address book but would like to maintain groups of contactswithin that address book; (5) Use a web interface to manage contactdetails on both the user's device and the web; (6) A user would like toexport contacts from the one address book store and import them toanother address book store; (7) A user would like to be notified whenfriends have a birthday coming up; (8) A user would like his/hercontacts to update their own contact details via a mediating WebApplication and sync any changes to their current address book.

Details: "The Contacts API defines a high-level interface to provideaccess to the user's unified contact information, such as names,addresses and other contact information. The API itself is agnostic ofany underlying address book sources and data formats... The Contactsinterface exposes a database collecting contacts information, suchthat they may be created, found, read, updated, and deleted. Multipleaddress books, taken from different sources, can be represented withinthis unified address book interface...

The programmatic styles of the Contacts API and Geolocation API are verysimilar and because they both have the the same implied user experiencewithin the same implied User Agent the general security and privacyconsiderations of both APIs should remain common. The ability to alignthe security and privacy considerations of the Geolocation API withDAP APIs is important for the potential future benefit of making anysecurity and privacy mechanisms developed within the DAP WG applicableto the Geolocation API at some point in its own ongoing development...A conforming implementation of this specification must provide amechanism that protects the user's privacy and this mechanism shouldensure that no contact information is creatable, retrivable, updateableor removable without the user's express permission... More Info

Microsoft Urges Laws to Boost Trust in the Cloud

2010-01-22T05:19:00.002-08:00

Microsoft is so concerned about the future of cloud computing thatit's urging the government to step in. In a speech Wednesday[2010-01-20], Microsoft general counsel and senior vice presidentBrad Smith called on government and business to shore up confidencein cloud computing by tackling issues of privacy and security -- twomajor concerns that have been voiced about the cloud...
A Microsoft survey found that 58 percent of the public and 86 percentof business leaders are excited about the possibilities of cloudcomputing. But more than 90 percent of them are worried about security,availability, and privacy of their data as it rests in the cloud.Microsoft said it also found that most of the people surveyed believethe U.S. should set up laws and policies to govern cloud computing...
During his speech, Smith proposed that Washington create a CloudComputing Advancement Act that would protect consumers and give thegovernment tools to handle issues such as data privacy and security.He added that an international dialogue is crucial in addressing datasecurity so that information is protected no matter where it resides.In proposing legislation, Microsoft is looking to the government toenact specific measures, including to: (1) Beef up the ElectronicCommunications Privacy Act to more clearly define and protect theprivacy of consumers and businesses; (2) Update the Computer Fraud andAbuse Act so that law enforcement has the resources it needs to combathackers; (3) Establish truth-in-cloud-computing principles so thatconsumers and businesses know how their information will be accessedand secured; (4) Set up a framework so that differences in regulationson cloud computing among various countries can be better clarifiedand reconciled... More Info

IETF Internet Draft on Web Linking Considered as a Proposed Standard

2010-01-22T05:19:00.001-08:00

The Internet Engineering Steering Group (IESG) announced receipt of aa request to consider version -07 of the "Web Linking" specificationas an IETF Proposed Standard. The IESG plans to make a decision in thenext few weeks, and solicits final comments on this action through2010-02-17.
This document specifies relation types for Web links, and defines aregistry for them. It also defines the use of such links in HTTP headerswith the Link header-field.
Background: "A means of indicating the relationships between resourceson the Web, as well as indicating the type of those relationships, hasbeen available for some time in HTML, and more recently in Atom (IETFRFC 4287). These mechanisms, although conceptually similar, are separatelyspecified. However, links between resources need not be format-specific;it can be useful to have typed links that are independent of theirserialisation, especially when a resource has representations inmultiple formats. To this end, this document defines a framework fortyped links that isn't specific to a particular serialisation orapplication. It does so by re-defining the link relation registryestablished by Atom to have a broader domain, and adding to it therelations that are defined by HTML.
Appendix E (Document History) in this 25-page document lists some sixteen(16) changes since the publication of version -06 (20 pages): Allowedmultiple spaces between relation types; Relaxed requirements forregistered relations; Removed Defining New Link Serialisations appendix;Added Field registry; Added registry XML format; Changed registrationprocedure to use mailing list(s), giving the Designated Experts moreresponsibility for the smooth running of the registry; Loosened prohibitionagainst media-specific relation types to SHOULD NOT; Disallowedregistration of media-specific relation types -- can still be used asextension types; Clarified that parsers are responsible for resolvingrelative URIs; Fixed ABNF for extended-initial-value; Fixed 'title*'parameter quoting in example; Added notes for registered relations thatlack a reference; Added 'hreflang' parameter; Clarified status of 'rev';Removed advice to use '@profile' in HTML4; Clarified what multiple'*title' and 'hreflang' attributes mean... More Info

Heartland Moves To Encrypted Payment System

2010-01-22T05:18:00.001-08:00

"Responding to its widely reported and massive data breach that tookplace a year ago, Heartland Payment Systems will be moving to anend-to-end encryption system for payment transactions, according toChairman and CEO Robert Carr: 'We're using encryption on the front endto keep card numbers out of our merchants' systems, and to also haveall the card numbers coming through our network be encrypted throughout,except at the point of decryption'. In January 2009, Heartland PaymentSystems reported that it found that intruders had penetrated its systemsand planted software to harvest card numbers, using SQL injectionattacks to plant programs inside the network that would sniff the cardnumbers.
Heartland, which handles more than 4 billion transactions annually formore than 250,000 merchants, will be using Thales nShield Connecthardware security module along with Voltage Security's SecureDataencryption software as the basis of this capability... This new systeminvolves installing a tamper-resistant security module (TRSM) at thepoint-of-sale system. When a card is swiped, the TRSM encrypts thecard's number with a public key using Identity Based Encryption, andit is sent to the Heartland gateway. This new system will offermerchants the capability to encrypt cards so the merchant themselveswill not house the card numbers on their systems at all, explainedTerrence Spies, the chief technology officer for Voltage Security. Mostmerchant payment-processing systems encrypt the PIN number or securitynumbers of cards. The card numbers themselves aren't typically encryptedat the cash registers, also called point-of-sale systems.
Spies: "The HSM controls the process of decrypting the private key...This system will use a technique called format-preserving encryption(FPE), which means the encrypted numbers will be the same length asthe original card numbers, allowing the encrypted numbers to be usedin other database systems as identifiers, rather than the originalnumbers. Heartland piloted a few test systems with merchants last yearand now plans to start offering the service to all its customers.Because moving to the card encryption will require purchasing newhardware for the register, Heartland will offer the end-to-end encryptionas an opt-in... Carr said that if the merchant implements the systemcorrectly and it then suffers a breach involving the leakage of cardnumbers, then Heartland will assume the liability for the breach..." More Info

Open Source Clouds on the Rise

2010-01-22T05:17:00.000-08:00

"Cloud computing has the potential to transform how government agenciestap into IT services, and open source is an underlying technology inseveral of the early government clouds that have been developed... Achallenge for government agencies is determining how one cloud can workwith other clouds and IT systems to provide the same secure, robustinfrastructure that exists with traditional IT environments. Here'swhere agencies may turn to open source, which has the advantage of'openness,' providing flexibility, interoperability, and the potentialfor customization without the risks of vendor lock-in...
Components of the open source software stack that are being used tobuild and manage clouds include the Linux operating system, Eucalyptus(incorporates the Apache Axis2 Web services engine, Mule enterpriseservice bus, Rampart security, and Libvirt virtualization), Datacloud,Nimbus' EC2 interface (lets organizations access public cloudinfrastructures), virtual machine hypervisors, and Zend Technologies'Simple API (can be used for calling a cloud service from multiple clouds;GoGrid, IBM, Microsoft, Nirvanix Storage Delivery Network, and RackspaceFiles all support it).
In an example of how the pieces fit together, NASA's Ames Research Centeris using Eucalyptus, the Lustre file system, Django Web applicationframework, and SOLR indexing and search engine in its Nebula cloud.Standards are still needed to ensure the viability of open source clouds,and reliability and security have to be proven. With those concerns onthe table, the gradual adoption of cloud computing, along with opensource, is the path we're on. Open source can help minimize up-frontinvestment, give agencies control over their clouds, and tap into sharedresources..." More Info

W3C First Public Working Draft for Selectors API Level 2

2010-01-22T05:16:00.000-08:00

Members of the W3C Web Applications Working Group have published a FirstPublic Working Draft for the specification "Selectors API Level 2."Selectors, which are widely used in Cascading Style Sheets (CSS), arepatterns that match against elements in a tree structure...
The Selectors API specification defines methods for retrieving Elementnodes from the DOM by matching against a group of selectors, and fortesting if a given element matches a particular selector. It is oftendesirable to perform DOM operations on a specific set of elements ina document. These methods simplify the process of acquiring and testingspecific elements, especially compared with the more verbose techniquesdefined and used in the past...
Implementors should be aware that this specification is not stable.Implementors who are not taking part in the discussions are likely tofind the specification changing out from under them in incompatible ways.Vendors interested in implementing the specification before iteventually reaches the Candidate Recommendation stage should join theappropriate mailing lists and take part in the discussions..." More Info

OASIS Public Review Draft for Production Planning and Scheduling (PPS)

2010-01-22T05:15:00.000-08:00

Members of the OASIS Production Planning and Scheduling (PPS) TechnicalCommittee have released an approved set of PPS specifications forpublic review through March 12, 2010. This TC was chartered in 2003to "develop common object models and corresponding XML schemas forproduction planning and scheduling software, which can communicate witheach other in order to establish collaborative planning and schedulingon intra and/or inter enterprises in manufacturing industries."
"OASIS PPS (Production Planning and Scheduling) specifications deal withproblems of decision-making in all manufacturing companies who want tohave a sophisticated information system for production planning andscheduling. PPS specifications provide XML schema and communicationprotocols for information exchange among manufacturing applicationprograms in the web-services environment...
"PPS (Production Planning and Scheduling) Part 1: Core Elements, Version1.0" focuses on an information model of core elements which can be usedas ontology in the production planning and scheduling domain. Since theelements have been designed without particular contexts in planning andscheduling, they can be used in any specific type of messages as abuilding block depending on the context of application programs.
"PPS (Production Planning and Scheduling) Part 2: Transaction Messages,Version 1.0" focuses on transaction messages that represent domaininformation sending or receiving by application programs in accordancewith the context of the communication, as well as transaction rules forcontexts such as pushing and pulling of the information required..."PPS (Production Planning and Scheduling) Part 3: Profile Specifications,Version 1.0" focuses on profiles of application programs that may exchangethe messages. Application profile and implementation profile are defined.Implementation profile shows capability of application programs in termsof services for message exchange, selecting from all exchange itemsdefined in the application profile. The profile can be used fordefinition of a minimum level of implementation of application programswho are involved in a community of data exchange..." More Info

OAuth Web Resource Authorization Profiles

2010-01-22T05:13:00.000-08:00

IETF has published an Internet Draft for "OAuth Web ResourceAuthorization Profiles." The OAuth Web Resource Authorization Profiles(OAuth WRAP) allow a server hosting a Protected Resource to delegateauthorization to one or more authorities. An application (Client)accesses the Protected Resource by presenting a short lived, opaque,bearer token (Access Token) obtained from an authority (AuthorizationServer). There are Profiles for how a Client may obtain an Access Tokenwhen acting autonomously or on behalf of a User.
Background: "As the internet has evolved, there is a growing trend fora variety of applications (Clients) to access resources through an APIover HTTP or other protocols. Often these resources require authorizationfor access and are Protected Resources. The systems that are trustedto make authorization decisions may be independent from the ProtectedResources for scale and security reasons. The OAuth Web ResourceAuthorization Profiles (OAuth WRAP) enable a Protected Resource todelegate the authorization to access a Protected Resource to one ormore trusted authorities.
Clients that wish to access a Protected Resource first obtainauthorization from a trusted authority (Authorization Server). Differentcredentials and profiles can be used to obtain this authorization, butonce authorized, the Client is provided an Access Token, and possiblea Refresh Token to obtain new Access Tokens. The Authorization Servertypically includes authorization information in the Access Token anddigitally signs the Access Token. Protected Resource can verify thatan Access Token received from a Client was issued by a trustedAuthorization Server and is valid. The Protected Resource can thenexamine the contents of the Access Token to determine the authorizationthat has been granted to the Client.
The Access Token is opaque to the Client, and can be any format agreedto between the Authorization Server and the Protected Resource enablingexisting systems to reuse suitable tokens, or use a standard tokenformat such as a Simple Web Token or JSON Web Token. Since the AccessToken provides the Client authorization to the Protected Resource forthe life of the Access Token, the Authorization Server should issueAccess Tokens that expire within an appropriate time. When an AccessToken expires, the Client requests a new Access Token from theAuthorization Server, which once again computes the Client'sauthorization, and issues a new Access Token... Two Profiles arerecommended for scenarios involving a Client acting autonomously:(1) Client Account and Password Profile, where the Client is provisionedwith an account name and corresponding password by the AuthorizationServer; (2) Assertion Profile, which enables a Client with a SAML orother assertion recognized by the Authorization Server...
More Info

The Spirit of Schematron in Test Driven Development (TDD)

2008-04-16T06:27:00.001-07:00

Test Driven Development is a relatively popular methodology nowadays
and I think XML tools can play crucial aspect in better testing. Testing
frameworks are more than capable of using and testing XML based
applications, but just in case you have ever had trouble, here are a
few tips. XSLT makes for an excellent transformation tool for massaging
XML data. This means it also can be a helpful tool to reduce large XML
data sets to something manageable, whether it is XML or not. For example
[see the] simple XSLT stylesheet that will return content on errors
checking an Atom Feed, which is is exceptionally simple, but hopefully
it makes the point. In the example, you'll also notice that the output
was not contained in a XML Element. Sometimes it is easier to just parse
a simple text file line by line, so this might be that situation. Likewise,
having a designated set of test elements could be helpful -- think reports
transformed to HTML). That said, the goal is not to create some enormous
test framework in XML and XSLT. The real goal is to use a great tool for
transforming XML to something you can use easily. I wouldn't necessarily
suggest trying to validate the content of an element or do complex string
parsing. XSLT 1.0 isn't really the easiest language for string parsing
or complex math with out a little help. You can always add your own
extension functions to help out, but hopefully keeping things simple by
massaging the data gets you 80% of the way. The idea here is make things
palatable to your own tastes... I like XML, but I hate XML Schema and
DTDs. RELAX NG is slightly better option, but when you just want to make
sure some value is present, the above methods can be a simpler solution.
The essence of the above suggestions come from Schematron, an excellent
validation tool that is as simple as knowing XPath. Schematron in fact
has been implemented using XSLT, so adding it to your existing test
framework should be relatively simple. There are times when XML seems
to present a subtle problem within the world of object oriented languages.
It's not a hard problem on a technical level. Working with XML is
relatively simple with many examples and resources. Things get hard when
you don't have good tools to help you along the way. The XML landscape
to your programming language of choice when XML has more than enough
tools to seamlessly integrate testing your XML along side your models,
views, controllers and integrations.

Don't Be Surprised By E-Discovery

2008-04-16T06:26:00.000-07:00

E-discovery requires government agencies to know what electronic
documents they have and be able to find them quickly if someone requests
them for a court case. That's no small task considering the enormous
volume of electronic documents created by the typical organization.
Email messages and attachments represent a good chunk of the problem,
but word-processing documents, PDFs and other digital information also
contribute to the management challenge. The amended Federal Rules of
Civil Procedure, which has heightened awareness of e-discovery, cover
a wide range of data types under the umbrella of electronically stored
information... E-discovery experts recommend establishing a taxonomy
and creating metadata tags for electronic information. The taxonomy
provides a general way to classify information, and metadata provides
detail on information to make searches more fruitful. The Electronic
Discovery Reference Model project devised an Extensible Markup Language
(XML) schema to consistently describe electronic information. [Penny]
Quirk said EDRM created the XML e-discovery standard to ensure that
consistent and common nomenclature is used for business records during
the e-discovery process; the project is scheduled for completion in this
year's second quarter... Electronic documents culled in e-discovery and
used in litigation demand special treatment: documents compiled in
significant cases at the Justice Department are kept as permanent records
of the government. Records in garden-variety cases in federal court are
considered temporary, but they might still be housed for a number of
years at one of the National Archive's Federal Records Centers. The
National Archives tapped Lockheed Martin in 2005 to build an Electronic
Records Archives system that will help the agency ingest electronic
records flagged for permanent storage; the aim now is to accept
government reco ds in any format, encapsulating each electronic document
in an XML metadata wrapper.

Proposal for IETF NETCONF Data Modeling Language Working Group

2008-04-16T06:25:00.002-07:00

The IESG Secretary announced that a new IETF working group has been
proposed in the Operations and Management Area, described in a draft
NETMOD Charter. The NETCONF Working Group has completed a base protocol
to be used for configuration management. However, the NETCONF protocol
does not include a standard content layer. The specifications do not
include a modeling language or accompanying rules that can be used to
model the management information that is to be configured using NETCONF.
This has resulted in inconsistent syntax and interoperability problems.
The purpose of NETMOD is to support the ongoing development of IETF
and vendor-defined data models for NETCONF. The WG will define a
"human-friendly" modeling language defining the semantics of operational
data, configuration data, notifications, and operations. This language
will focus on readability and ease of use. This language must be able
to serve as the normative description of NETCONF data models. The WG
will use YANG as its starting point for this language. Language
abstractions that facilitate model extensibility and reuse have been
identified as a work area and will be considered as a work item or
may be integrated into the YANG document based on WG consensus. The
WG will define a canonical mapping of this language to NETCONF XML
instance documents, the on-the-wire format of YANG-defined XML content.
Only data models defined in YANG will have to adhere to this on-the-wire
format. In order to leverage existing XML tools for validating NETCONF
data in various contexts and also facilitate exchange of data models
SDL data modeling framework (ISO/IEC 19757) with additional annotations
to preserve semantics. The initial YANG mapping rules specifications
are expressly defined for NETCONF modeling. However, there may be
future areas of applicability beyond NETCONF, and the WG must provide
suitable language extensibility mechanisms to allow for such future
work. The NETMOD WG will only address modeling NETCONF devices and the
language extensibility mechanisms... Initial deliverables: (1) An
architecture document explaining the relationship between YANG and
its inputs and outputs; (2) The YANG data modeling language and
semantics; (3) Mapping rules of YANG to XML instance data in NETCONF;
(4) YIN, a semantically equivalent fully reversible mapping to an
XML-based syntax for YANG. YIN is simply the data model in an XML
syntax that can be manipulated using existing XML tools (e.g., XSLT);
(5) Mapping rules of YANG to DSDL data modeling framework (ISO/IEC 19757),
including annotations for DSDL to preserve top-level semantics during
translation; (6) A standard type library for use by YANG. The IESG
has not made any determination as yet; please send your comments to
the IESG mailing list by April 22, 2008.

W3C Invites Public Comment on Content Transformation Guidelines 1.0

2008-04-16T06:25:00.001-07:00

W3C announced that the Mobile Web Best Practices Working Group has
published the First Public Working Draft for "Content Transformation
Guidelines 1.0." This document provides guidance to managers of content
transformation proxies and to content providers for how to coordinate
when delivering Web content. Content transformation techniques diverge
widely on the web, with many non-standard HTTP implications, and no
well-understood means either of identifying the presence of such
transforming proxies, nor of controlling their actions. From the point
of view of this document, Content Transformation is the manipulation in
various ways, by proxies, of requests made to and content delivered by
an origin server with a view to making it more suitable for mobile
presentation. The W3C MWI BPWG neither approves nor disapproves of
Content Transformation, but recognizes that is being deployed widely
across mobile data access networks. The deployments are widely divergent
to each other, with many non-standard HTTP implications, and no
well-understood means either of identifying the presence of such
transforming proxies, nor of controlling their actions. This document
establishes a framework to allow that to happen.

Use HATS to Generate Atom Feeds for Mainframe Applications

2008-04-16T06:24:00.001-07:00

Nowadays, content distributors deliver all content, including news and
site updates, as feeds. Most enterprise applications use feeds for
various purposes, including to monitor an application and check the
status of a project. Content providers publish a feed link on their site
that users register with a feed reader. The feed reader checks for
updates to the registered feeds at regular intervals. When it detects
an update in the content, the feed reader requests the updated content
from the content provider. The feeds contain only a summary of the content,
but they provide a link to the detailed content. Atom Syndication Format
and RSS are the most common specifications of feeds. We're using Atom
feeds in this article, but you can change easily to RSS feeds with a
little modification. This article leverages a product called IBM
WebSphere Host Access Transformation Services (HATS), which converts
any given green-screen, character-based 3270 or 5250 host application
into a Web application (HTML) or rich-client application. HATS also allows
programmatic interfaces to convert the identified content in these host
applications into any other format. We take a step-by-step approach to
show you how to write a HATS program that converts the host application
content into Atom feeds... Delivering data as Atom feeds in mainframes
opens a new world of possibilities for enterprise applications.
Organizations can use mashup editors to extract data from companies with
external or internal feeds and create new applications or information.
For example, call centers can take advantage of mashups by passing a
calling customer's ZIP code information to Google Maps to identify the
location of the customer. This can help the call center employees
personalize the conversation by enquiring about the weather from the
customer's location, and so on. The delivery of data as Atom feeds in
mainframe servers is one of the fundamental building blocks that enables
an organization to embrace Web 2.0.

Apache Abdera: Atom, AtomPub, and Java

2008-04-16T06:23:00.000-07:00

The Apache Abdera project, an open source Atom Syndication and Atom
Publication Protocol implementation currently still in its incubation
phase, has recently reached its 0.40 milestone, an important step towards
graduation [as an Apache project]. Snell: "While Atom and AtomPub
certainly began life as a way of syndicating and publishing Weblog
content, it has proven useful for a much broader range of applications.
I've seen Atom being used for contacts, calendaring, file management,
discussion forums, profiles, bookmarks, wikis, photo sharing, podcasting,
distribution of Common Alerting Protocol alerts, and many other cases.
Atom is relevant to any application that involves publishing and managing
collections of content of any type... Abdera is an open source
implementation of the Atom Syndication Format and Atom Publishing Protocol.
It began life as a project within IBM's WebAhead group and was donated to
the Apache Incubator in June 2006. Since then, it has evolved into the
most comprehensive open-source, Java-based implementation of the Atom
standards.. Abdera has been part of the Apache Incubator for long enough.
While there are still some details to work out, I would very much like
to see Abdera graduate to its own Top Level Project at Apache, and become
host to a broad range of Atom-based applications." Diephouse: "Look to
some of the public services out there: most of the APIs for Google are
based on AtomPub. Microsoft is moving toward it for web APIs too. These
services are all going beyond just blogs. AtomPub goes beyond public web
APIs as well -- I've noticed that many enterprises are starting to use
AtomPub for some of their internal services as well. Both AtomPub and
SOAP/WSDL give you a way to build a service for others to use. But AtomPub
takes a fundamentally different approach to helping users implement
services. It implements constraints which give new types of freedom.
Because the data format is constrained -- every entry has a title, entry,
id, and content/summary -- I can use an Atom feed from any type of
application and get some useful information out of it... Abdera includes
support for developing/consuming AtomPub services, an IRI library, a URI
template library, unicode normalization, extensions for things like XML
signature/encryption, GData, GeoRSS, OAuth, JSON and more. One of the
cool new things in the latest release are a set of 'adapters' which allow
you to have an AtomPub service without any coding by storing entries in
JDBC, JCR or the filesystem...

Who Trumps bin Laden as a Cyberthreat? Look in the Mirror.

2008-04-13T23:42:00.000-07:00

From the San Francisco RSA 2008 Conference: "It turns out al-Qaida's
leader and his cohorts aren't the biggest threat to our cybersecurity.
You are... Security gurus have long urged the business world to turn
network security into part of the corporate DNA. The message is not
fully getting through. And now we're seeing the predictable results.
In years past, [Symantec CEO John] Thompson and other computer security
executives have pushed the idea of making cyber-security as familiar
to most people as the fire prevention campaign underwritten by the
government in the 1960s and 1970s. Considering the amount of money
Uncle Sam is spending on cyber-security these days, that's a pipedream.
Department of Homeland Security Secretary Michael Chertoff, who also
presented a keynote on Tuesday, offered litte indication Washington
was about to ride to the rescue. In remarks during his prepared speech
and subsequent press conference, Chertoff offered a dutiful recitation
of what he described as the President's interest in shoring up the
nation's digital security. Give Chertoff credit for being candid about
where DHS has come up short. He said the government needs to reduce
its (literally) thousands of network access points to around 50. At
the same time, Chertoff wants his department to faster detect and
analyze computer anomalies. A big part of that will involve a revamp
of U.S. CERT's early warning system... In the end, however, money
talks and you-know-what walks. The feds only have a $115 million budget
to work with. Chertoff's department has requested $192 million for
the new fiscal year but that's still doing it on the cheap. By
comparison, we spend $720 million in Iraq each day [actually their own money, joke of the day,].

More Information

SOA Software's SOLA Celebrates 5 Years

2008-04-13T23:41:00.002-07:00

SOA Software, a leading mainframe web services vendor, today announced
that SOLA, its flagship mainframe SOA product, has reached the five
year mark in running reliably extremely high volume production
environments. During this period SOLA has not been responsible for a
single production outage, despite handling tens of millions of
transactions every day. SOLA runs the world's largest mainframe SOA
implementations. A number of SOLA customers use it to run many millions
of mainframe web services transactions per day, and many customers'
plans anticipate volume in the 20-30 million transactions per day range.
Because SOLA offers a complete SOA solution there is no requirement to
integrate multiple products when building an enterprise-class SOA
incorporating the mainframe. SOLA includes a drag-and-drop graphical
development studio, an integrated UDDI registry, WS-Security, WS-Policy,
monitoring, logging, a management console and dashboard, SLA management,
BPEL, SAML, X509 Certificates, LDAP and Active Directory. SOLA eliminates
the complexity and expense of combining multiple products, such as CICS
TS 3.x, WebSphere and RAD... SOLA is the only mainframe SOA product to
offer closed-loop Governance automation. A service is automatically
governed from the point of creation because it inherits a security policy.
Policy, by means of WS-PolicyAttachment, is associated with the service
though all phases of the Software Development Lifecycle. It is not
possible to create or run an ungoverned service. Other features of SOLA
include integration with enterprise change management, Global Dictionary,
Logging, Auditing, Outbound SOAP requests, Batch support, Integration
with external UDDI, version control, support for the Software Development
Lifecycle, WSDL first and integration with SOA Management tools, making
SOLA the only secure, standards-based, and Governable product in the
space. SOLA also offers XACML for authentication and a comprehensive
identity mapping system that allows for the mapping of any credential
(LDAP, etc) to a mainframe RACF ID.

OOXML Triggers Demonstration in Norway

2008-04-13T23:41:00.001-07:00

"People were demonstrating today in Oslo in front of the ISO SC34
meeting against the adoption of Microsoft OOXML as an ISO standard, and
especially against the behaviour of Standards Norway, who voted Yes to
the specification, despite a lack of support by a majority of the
technical committee. Geir Isene is reporting about the demonstration...
We are not here today in order to bash Microsoft. We are here because we
believe in open standards. We are not even here today because we are
opposed to OOXML. We are here because we are opposed to OOXML as an ISO
standard. We are not here because we want to discredit the ISO. We are
here because we want to defend ISO's integrity. We are here because we
want to draw attention to the scandalous behaviour of the people in
Standard Norway whose job it is to represent Norwegian users and software
vendors. And we are here because we want to prevent the adoption of a
damaging IT standard in Norway... It's never over until the fat lady
sings, and this fat lady only just got started...

Public Review Draft for WebCGM Version 2.1

2008-04-13T23:40:00.001-07:00

Members of the OASIS CGM Open WebCGM Technical Committee have released
"WebCGM Version 2.1" as a Committee Draft for public review. The comment
period ends June 01, 2008. Computer Graphics Metafile (CGM) is an ISO
standard, defined by ISO/IEC 8632:1999, for the interchange of 2D vector
and mixed vector/raster graphics. WebCGM is a profile of CGM, which adds
Web linking and is optimized for Web applications in technical
illustration, electronic documentation, geophysical data visualization,
and similar fields. First published (1.0) in 1999, WebCGM unifies
potentially diverse approaches to CGM utilization in Web document
applications. It therefore represents a significant interoperability
agreement amongst major users and implementers of the ISO CGM standard.
The present version, WebCGM 2.1, refines and completes the features of
the major WebCGM 2.0 release. WebCGM 2.0 added a DOM (API) specification
for programmatic access to WebCGM objects, a specification of an XML
Companion File (XCF) architecture, and extended the graphical and
intelligent content of WebCGM 1.0. The content of the WebCGM 2.1 profile
comprises less than a dozen items that were arguably within the scope
of WebCGM 2.0, but which arose too late in the standardization of the
latter. On 30-January-2007, OASIS and W3C simultaneously published
WebCGM 2.0 as both an OASIS Standard and a W3C Recommendation, which
are identical in all technical aspects, and differ only in the format
and presentation styles of the respective organizations.

Google's OpenID Provider Via Google Web Engine

2008-04-13T23:39:00.001-07:00

"Shortly after Google released Google Web Engine last night, Ryan
Barrett of Google released an application for the platform that
essentially makes Google an OpenID Provider. Check it out here [...]
You can use your Google Account to log into any site that supports
OpenID! Ryan wrote: "If you've talked to me about work during the last
couple years, I've probably downplayed it, resorted to generalities,
or just changed the subject. No longer! We've finally taken the wraps
off our project, Google App Engine. From the docs: 'Google App Engine
lets you run your web applications on Google's infrastructure. App
Engine applications are easy to build, easy to maintain, and easy to
scale as your traffic and data storage needs grow. With App Engine,
there are no servers to maintain: You just upload your application,
and it's ready to serve your users.' Personally, I spent most of my
time writing the datastore, both the backend and much of the Python API.
When I found extra time, though, I had a lot of fun writing apps and
libraries on top of App Engine. I particularly enjoyed writing an
interactive shell, an OpenID provider, and a full text search library.
From the OpenID Wiki: OpenID allows anyone who can run a web server to
run an identity server. Your identity server is separate from your
identity, so you are free to use any identity server that has some
ability to validate your identity and you can change between them at
will. An identity server is sometimes referred to as an identity provider.
If you wish, you can use the services listed below with your own website
as your identifier using delegation.

OGC Adopts ebRIM Application Profile for Catalogues

2008-04-13T23:38:00.000-07:00

The Open Geospatial Consortium announced that its membership has
approved the OASIS ebRIM (Electronic Business Registry Information
Model) application profile of the OpenGIS Catalogue Service 2.1.2
standard. The Catalogue Standard specifies a design pattern that
allows for the definition of interfaces called application profiles
based on different standards, such as ZF39.50, ebRIM, UDDI, or ISO
metadata, that support the ability to publish and search collections
of descriptive information (metadata) about geospatial data, services
and related information objects. The ebRIM application profile was
developed and adopted because it enables catalogs to handle services
as well a variety of other geospatial resource types such as symbol
libraries, coordinate reference systems, application profiles, and
application schemas and geospatial metadata. The OGC is an international
industry consortium of more than 345 companies, government agencies,
research organizations, and universities participating in a consensus
process to develop publicly available interface specifications.
OpenGIS Specifications support interoperable solutions that geo-enable
the Web, wireless and location-based services, and mainstream IT. The
specifications empower technology developers to make complex spatial
information and services accessible and useful with all kinds of
applications.

Building an Entitlements Management Solution

2008-04-13T23:37:00.002-07:00

What does it take to build an Entitlements Management solution? That
depends on who you ask of course. However, when I look at commercial
products in this area I see certain common architectural patterns.
Many of the products that I've seen make use of a set of common elements
defined by the OASIS XACML standard (Extensible Access Control Markup
Language). The [referenced] picture shows the typical components of an
Entitlements Management solution. The XACML spec defines the role of
the Policy Administration Point (PAP), the Policy Decision Point (PDP),
the Policy Enforcement Point (PEP), and the Policy Information Points
(PIP). The Policy Administration Point (PAP) manages the creation and
storage of policy data in the Policy Store. The administrator interacts
with the PAP (typically) through a browser based management console
where roles, policies, resources, actions and so forth are defined and
managed. The policy store may be an LDAP directory or a database. The
PAP may also provide facilities for policy import and export. Most
products provide some management APIs that allow customers to embed
administrative functionality into their own applications. Runtime role
or authorization decisions are determine at the Policy Decision Points.
Typically I've seen two ways that PDPs are deployed: (1) As a
centralized entitlements server that can be invoked by remote clients
via RMI, Web Service calls or using the XACML 2.0 request/response
protocol. (2) As an embedded PDP deployed in same process space as
the application. The most common examples are PDPs embedded in a JVM
for plain Java applications or embedded in an application server for
J2EE applications... The PDPs can be configured to get data from one
or more Policy Information Points (PIPs). These PIPs can be user or
application directories or databases that contain information that
is required to make an access decision. Such information includes
user, group, and resource attributes (e.g. user profile information,
account balances and limits, etc.). These attributes can then be
used in the policies which control access...

Mathematical Markup Language (MathML) Version 3.0 Draft Published

2008-04-13T23:37:00.001-07:00

W3C's Math Working Group has published a Working Draft of "Mathematical
Markup Language (MathML) Version 3.0." This is the third draft of
MathML, an XML application for describing mathematical notation and
capturing both its structure and content. The specification defines the
Mathematical Markup Language, or MathML, as an XML application for
describing mathematical notation and capturing both its structure and
content. The goal of MathML is to enable mathematics to be served,
received, and processed on the World Wide Web, just as HTML has enabled
this functionality for text. This specification of the markup language
MathML is intended primarily for a readership consisting of those who
will be developing or implementing renderers or editors using it, or
software that will communicate using MathML as a protocol for input or
output. It is not a User's Guide but rather a reference document. MathML
can be used to encode both mathematical notation and mathematical
content. About thirty-five of the MathML tags describe abstract
notational structures, while another about one hundred and seventy
provide a way of unambiguously specifying the intended meaning of an
expression. Additional chapters discuss how the MathML content and
presentation elements interact, and how MathML renderers might be
implemented and should interact with browsers. Finally, this document
addresses the issue of special characters used for mathematics, their
handling in MathML, their presence in Unicode, and their relation to
fonts. While MathML is human-readable, in all but the simplest cases,
authors use equation editors, conversion programs, and other specialized
software tools to generate MathML. Several versions of such MathML
tools exist, and more, both freely available software and commercial
products, are under development.

RSA 2008: BT Trials Federated Identity Management

2008-04-09T00:25:00.002-07:00

BT is experimenting with a federated identity management system that
could be rollled out to its eight million internet users and corporate
customers. A commercial version would allow users to identify themselves
for websites and applications and other users to access data, do work
and transact business, said Robert Temple, BT's chief security architect.
Using CA's Siteminder software, BT is giving internal staff web access
to applications such as Peoplesoft, Siebel, Oracle Financials, Citrix,
an XML gateway, and a voice-verification system from Persay. Temple said
the company's intention is to provide managed user identity as a "common
capability" of the kind relatively common in IT but rare in
telecommunications. Temple said BT runs 32 discrete different networks.
As a result it has too many Radius identity authentication servers.
Learning how to consolidate how it manages user identities on all these
networks is the only way it would be possible to extend similar
safeguards to BT customers, he said. It has opted to use the Liberty
Alliance's Security Assertion Markup Language (SAML) 2.0 standard for
federated identity management. However, it has proved hard to find
external contractors willing and able to help BT as most were familiar
with earlier versions of SAML. Temple noted that relationships between
BT and organisations sharing its federated IDs were plagued by lawyers
and contracts. "In the end, we asked the lawyers politely to get out of
the way as we knew what we were doing," he said. Temple said this was
not to minimise the legal issues, which required partners to spend a
lot of time building trust in each other. These lessons would help to
reduce the learning curve for user organisations when the time came for
them to make more use of the web for business applications...

SCA Java EE Integration Specification Version 0.9

2008-04-09T00:25:00.001-07:00

On March 28, 2008 Version 0.9 of the SCA "Java EE Integration
Specification" was published by OSOA authors as part of the SCA
Service Component Architecture; contributors include BEA, Cape Clear,
IBM, Interface21, IONA, Oracle, Primeton, Progress Software, Red Hat,
Rogue Wave, SAP, Siemens, Software AG., Sun, Sybase, and TIBCO. The
specification defines a model of using SCA assembly in the context of
a Java EE runtime that enables integration with Java EE technologies
on a fine-grained component level as well as use of Java EE applications
and modules in a coarse-grained large system approach. The Java EE
specifications define various programming models that result in
application components, such as Enterprise Java Beans (EJB) and Web
applications that are packaged in modules and that are assembled to
enterprise applications using a Java Naming and Directory Interface
(JNDI) based system of component level references and component naming.
Names of Java EE components are scoped to the application package
(including single module application packages), while references, such
as EJB references and resource references, are scoped to the component
and bound in the Environment Naming Context (ENC). In order to reflect
and extend this model with SCA assembly, this specification introduces
the concept of the Application Composite and a number of implementation
types, such as the EJB implementation type and the Web implementation
type, that represent the most common Java EE component types.
Implementation types for Java EE components associate those component
implementations with SCA service components and their configuration,
consisting of SCA wiring and component properties as well as an assembly
scope (i.e. a composite). Note that the use of these implementation
types does not create new component instances as far as Java EE is
concerned. Section 3.1 explains this in more detail. In terms of
packaging and deployment this specification supports the use of a Java
EE application package as an SCA contribution, adding SCA's domain
metaphor to regular Java EE packaging and deployment. In addition, the
JEE implementation type provides a means for larger scale assembly of
contributions in which a Java EE application forms an integrated part
of a larger assembly context and where it is viewed as an implementation
artifact that may be deployed several times with different component
configurations.

Intel Releases SOA Security Toolkit

2008-04-09T00:24:00.002-07:00

Intel has introduced its SOA Security Toolkit as a release candidate.
Part of Intel's family of XML tools, the toolkit is a high-performance
software module that addresses the confidentiality needs of
services-oriented architectures (SOA) by providing XML digital
signatures, encryption, and decryption capabilities for SOAP protocol
messages. Enterprises adopting and deploying Service Oriented
Architecture (SOA) solutions rely on message formats defined in XML
(Extensible Markup Language). The extensibility, verbosity and
structured nature of XML create performance challenges for software
developers seeking to provide content security in this dynamic,
heterogeneous environment. The Intel SOA Security Toolkit is standards
compliant, for easy integration into existing XML processing environments
and is optimized to support the authentication, confidentiality and
integrity of complex and large-size XML documents. The Intel SOA Security
Toolkit 1.0 for Java environments is a high-performance policy-driven
API available for Linux and Windows. Compliant with WS-security 1.0/1.1
and SOAP 1.1/1.2 standards, the toolkit focuses on confidentiality,
integrity and non-repudiation for SOA environments. This toolkit enables
encryption and decryption of SOAP message data, digital signature and
verification via a wide range of security algorithms, using industry
standards, for both servers as well as application environments. The
toolkit lets users provide their own XML policy file as an input. Through
this policy file, users can specify for the API security policy engine
which key provider and trust manager to instantiate, using either a
custom or the default class loader implementation. The security policy
engine then applies the specified policy, obtaining the keys and
certificates through the specified key provider and perform the trust
check using the specified trust manager. The toolkit supports all types
of X509 certificates, private, and shared keys.

Cool URIs for the Semantic Web

2008-04-09T00:24:00.001-07:00

Members of the W3C Semantic Web Education and Outreach (SWEO) Interest
Group have published an Interest Group Note "Cool URIs for the Semantic
Web." It constitutes a tutorial explaining decisions of the Technical
Architecture Group (TAG) for newcomers to Semantic Web technologies. The
document was initially based on the DFKI Technical Memo TM-07-01, 'Cool
URIs for the Semantic Web' and was subsequently published as a W3C
Working draft in December 2007, and again in March 2008 by the Semantic
Web Education and Outreach (SWEO) Interest Group of the W3C, part of the
W3C Semantic Web Activity. The drafts were publicly reviewed, especially
by the TAG and the Semantic Web Deployment Group (SWD). Summary: The
Resource Description Framework RDF allows users to describe both Web
documents and concepts from the real world -- people, organisations,
topics, things -- in a computer-processable way. Publishing such
descriptions on the Web creates the Semantic Web. URIs (Uniform Resource
Identifiers) are very important, providing both the core of the framework
itself and the link between RDF and the Web. This document presents
guidelines for their effective use. It discusses two strategies, called
303 URIs and hash URIs. It gives pointers to several Web sites that use
these solutions, and briefly discusses why several other proposals have
problems. Given only a URI, machines and people should be able to retrieve
a description about the resource identified by the URI from the Web. Such
a look-up mechanism is important to establish shared understanding of
what a URI identifies. Machines should get RDF data and humans should get
a readable representation, such as HTML. The standard Web transfer protocol,
HTTP, should be used. There should be no confusion between identifiers
for Web documents and identifiers for other resources. URIs are meant
to identify only one of them, so one URI can't stand for both a Web
document and a real-world object.

Google App Engine Supports Scalable Application Development

2008-04-09T00:23:00.002-07:00

Google has announced the availability of its free Google App Engine which
provides a fully-integrated application environment, making it "easy
to build scalable applications that grow from one user to millions of
users without infrastructure headaches." According to the Google
announcement, "Google App Engine gives you access to the same building
blocks that Google uses for its own applications, making it easier to
build an application that runs reliably, even under heavy load and with
large amounts of data. The development environment includes the following
features: (1) Dynamic webserving, with full support of common web
technologies; (2) Persistent storage powered by Bigtable and GFS [Google
File System, a scalable distributed file system for large distributed
data-intensive applications] with queries, sorting, and transactions;
(3) Automatic scaling and load balancing; (4) Google APIs for
authenticating users and sending email; (5) Fully featured local
development environment. App Engine applications are implemented using
the Python programming language. The App Engine Python runtime environment
includes a specialized version of the Python interpreter, the standard
Python library, libraries and APIs for App Engine, and a standard
interface to the web server layer. Google App Engine and Django both
have the ability to use the WSGI standard to run applications. As a result,
it is possible to use nearly the entire Django stack on Google App Engine,
including middleware. As a developer, the only necessary adjustment is
modifying your Django data models to make use of the Google App Engine
Datastore API to interface with the fast, scalable Google App Engine
datastore. Since both Django and Google App Engine have a similar concept
of models, as a Django developer, you can quickly adjust your application
to use our datastore. Google App Engine packages these building blocks
and takes care of the infrastructure stack, leaving you more time to
focus on writing code and improving your application... This preview of
Google App Engine is available for the first 10,000 developers who sign
up, and we plan to increase that number in near future. During this
preview period, applications are limited to 500MB of storage, 200M
megacycles of CPU per day, and 10GB bandwidth per day. We expect most
applications will be able to serve around 5 million pageviews per month.
In the future, these limited quotas will remain free, and developers will
be able to purchase additional resources as needed..."

New WSO2 Identity Solution Feature-Rich with OpenID

2008-04-09T00:23:00.001-07:00

Developers today announced the "WSO2 Identity Solution", which enables
LAMP and Java websites to provide strong authentication based on the
new interoperable Microsoft CardSpace technology. New features in
version 1.5 include: (1) OpenID Provider and relying party component
support; (2) OpenID information cards based on user name-token credential
and self issued credential; (3) SAML 2.0 support. "This new release
includes OpenID and OpenID Information Cards, further enhancing the WSO2
Identity Solution to cater to a wider audience for web based
authentication. OpenID is a key feature in decentralizing single sign-on,
much favored by many users. The WSO2 Identity Solution is built on the
open standards Security Assertion Mark-up Language (SAML) and WS-Trust.
This version supports SAML version 2.0 in addition to 1.1 which was
available in the previous version of the WSO2 Identity Solution. WSO2's
open source security offering features an easy-to-use Identity Provider
that is controlled by a simple Web-based management console and supports
interoperability with multiple vendors' CardSpace components. This
includes those provided by Microsoft .NET. The WSO2 Identity Solution
also works with current enterprise identity directories, such as those
based on the Lightweight Directory Access Protocol (LDAP) and Microsoft
Active Directory, allowing them to leverage their existing infrastructure.
In addition to the Identity Provider the WSO2 Identity Solution provides
a Relying Party Component Set which plugs into the most common Web
servers to add support for CardSpace authentication and now OpenID."
The software is available for download, governed by the open source
Apache License, Version 2.0.

First Public Draft: Health Care and Life Sciences (HCLS) Knowledgebase

2008-04-09T00:22:00.002-07:00

Members of the W3C Semantic Web in Health Care and Life Sciences
Interest Group (HCLS) have released a First Working Draft for a "HCLS
Knowledgebase" specification. This document is one of two initial WDs.
The HCLS Knowledgebase (HCLS-KB) is a biomedical knowledge base that
integrates 15 distinct data sources using currently available Semantic
Web Technologies such as the W3C standard Web Ontology Language (OWL)
and Resource Description Framework (RDF). This report outlines which
resources were integrated, how the KB was constructed using freely
available triple store technology, how it can be queried using the W3C
Recommended RDF query language SPARQL, and what resources and inferences
are involved in answering complex queries. While the utility of the KB
is illustrated by identifying a set of genes involved in Alzheimer's
Disease, the approach described here can be applied to any use case
that integrates data from multiple domains. A second document
"Experiences with the Conversion of SenseLab databases to RDF/OWL"
shares implementation experience of the Yale Center for Medical
Informatics: "One of the challenges facing Semantic Web for Health
Care and Life Sciences is that of converting relational databases
into Semantic Web format. The issues and the steps involved in such
a conversion have not been well documented. To this end, we have
created this document to describe the process of converting SenseLab
databases into OWL. SenseLab is a collection of relational (Oracle)
databases for neuroscientific research. The conversion of these
databases into RDF/OWL format is an important step towards realizing
the benefits of Semantic Web in integrative neuroscience research.
This document describes how we represented some of the SenseLab
databases in Resource Description Framework (RDF) and Web Ontology
Language (OWL), and discusses the advantages and disadvantages of
these representations. Our OWL representation is based on the reuse
of existing standard OWL ontologies developed in the biomedical
ontology communities." The mission of the W3C Health Care and Life
Sciences (HCLS) Interest Group is to show how to use Semantic Web
technology to answer cross-disciplinary questions in life science that
have, until now, been prohibitively difficult to research. The
success of the group continues to draw industry interest. W3C Members
are currently reviewing a draft charter that would enable the renewed
HCLS Interest Group to develop and support use cases that have clear
scientific, business and/or technical value, using Semantic Web
technologies in three areas: life science, translational medicine,
and health care. W3C invites Members to review the draft charter
(which is public during the review), and encourages those who are
interested in using the Semantic Web to solve knowledge representation
and integration on a large scale to join the Interest Group.

DMTF SM CLP Specification Adopted as an ANSI INCITS Standard

2008-04-09T00:22:00.001-07:00

The Distributed Management Task Force announced a major technology
milestone in achieving "National Recognition with a Newly Approved ANSI
Standard." Its Server Management Command Line Protocol (SM CLP)
specification, a key component of DMTF's Systems Management Architecture
for Server Hardware (SMASH) initiative, has been approved as an American
National Standards Institute (ANSI) InterNational Committee for
Information Technology Standards (INCITS) standard. DMTF will continue
to work with INCITS to submit the new ANSI standard to the International
Standards Organization/ International Electrotechnical Commission
(ISO/IEC) Joint Technical Committee 1 (JTC 1) for approval as an
international standard. The INCITS Executive Board recently approved the
SM CLP standard, which has been designated ANSI INCITS 438-2008. INCITS
is accredited by ANSI, the organization that oversees the development of
American National Standards by accrediting the procedures of
standards-developing organizations, such as INCITS. SM CLP (DSP0214) is
a part of DMTF's SMASH initiative, which is a suite of specifications
that deliver architectural semantics, industry standard protocols and
profiles to unify the management of the data center. The SM CLP standard
was driven by a market requirement for a common command language to
manage a heterogeneous server environment. Platform vendors provide tools
and commands in order to perform systems management on their servers.
SM CLP unifies management of multi-vendor servers by providing a common
command language for key server management tasks. The spec also enables
common scripting and automation using a variety of tools. The SM CLP spec
allows management solution vendors to deliver many benefits to IT
customers. The spec enables data center administrators to securely manage
their heterogeneous server environments using a command line protocol
and a common set of commands. SM CLP also enables the development of
common scripts to increase data center automation, which can help
significantly reduce management costs... The CLP is defined as a
character-based message protocol and not as an interface, in a fashion
similar to Simple Mail Transfer Protocol (RFC 2821). The CLP is a
command/response protocol, which means that a text command message is
transmitted from the Client over the transport protocol to the
Manageability Access Point (MAP). The MAP receives the command and
processes it. A text response message is then transmitted from the MAP
back to the Client... The CLP supports generating XML output data
(Extensible Markup Language, Third edition), as well as keyword mode
and modes for plain text output. XML was chosen as a supported output
format due to its acceptance in the industry, establishment as a
standard, and the need for Clients to import data obtained through the
CLP into other applications.

XML and Government Schizophrenia

2008-04-08T04:32:00.001-07:00

The U.S. Government is very leery of technology fads and that is why
it often has a love/hate relationship with XML. For every technology
that exists, the government has a huge legacy investment. So, while the
corporate world may turn on a dime and quickly adopt the latest and
greatest thing -- the government must contend with huge legacy issues,
a two-year (minimum) budget planning cycle, and a horde of technologists
actively engaged and personally invested in that legacy technology that
you want to throw away! [...] Let me briefly discuss a program that I
initiated when working for the Department of Homeland Security (DHS).
The National Information Exchange Model (NIEM) started as a joint-venture
between DHS and the Department of Justice (DOJ) to harmonize and speed
up the process of information sharing between the federal government
and state and local governments -- actually State, Local and Tribal
governments. The basic idea is that it combines a registry of standard
data objects (modeled via XML Schema), a process for quickly producing
an exchange message, a governance process for the model, and robust tool
support. The model leveraged and extended an existing model called the
Global Justice XML Data Model (GJXDM). It is widely used by law
enforcement at all levels of government and now is also being widely
used at DHS. It has multiple success stories behind it including the
Amber Alert and the national sex offender registry. I highly encourage
everyone to look at it and help make it better. So, what does this mean
for Government Schizophrenia? For information sharing, XML is a favorite
but is attacked continuously in relation to weak data modeling support,
weak encoding of binary objects, performance issues, and many more...

Web Oriented Architecture (WOA) May Soon Eclipse SOA

2008-04-08T04:31:00.004-07:00

A recent blog post questions whether services oriented architecture
(SOA) was driving substantive transformation inside of enterprise IT.
My conclusion is that something is not quite right in SOA-ville. The
uptake of general-purpose service enablement is by no means a hockey
stick trend line. The adoption patterns some five years into the SOA
evolutionary path do not show a slam dunk demand effect. The role,
impact and importance of SOA is, in fact, ambiguous -- still. Many
see it as merely an offshoot of EAI, rather than a full-blown paradigm
shift. Meanwhile, some other trends that do demonstrate more of a
hockey stick adoption pattern -- social media, Ruby/Phython, RESTful
interactions, and RIAs -- are worth a fresh look in the context of SOA.
The new kids on the innovation block are experimenting at break-neck
speed with social media, social networking, Ruby on Rails, SaaS, Python,
REST and the vital mix of rich Internet application (RIA) approaches.
Something is going on here that shows the compelling attraction of
better collaboration and sharing methods, of self-defining social and
work teams, of faster and easier applications development, of not
moving old systems to the Web but just moving to the Web directly, and
the recognition that off-the-wire applications with fine UIs are the
future... I'm wondering now whether the window for holistic SOA
deployment and value, as it has been classically defined, is being
eclipsed. Is it possible that Web interfaces and data disintermediation
for legacy applications will be enough? Is it possible that exposing
the old applications, and reducing costs of IT support via consolidation
and modernization is enough? In short, is the path of least resistance
to business transformation one that necessarily requires a fording of
the SOA stream? Or is there a shorter, dry path that goes directly to
Web oriented architecture? Is SOA therefore the impediment or empowerment
to transformation on the right scale and at Internet time?

SaaS Single Sign-On: It's Time for a Lighter Approach

2008-04-08T04:31:00.003-07:00

SaaS brings a lot of advantages to businesses - no need to invest in
purchasing and maintaining licenses and infrastructure, and no need
to worry about upgrades and bug fixes. Larger companies, however, face
a major challenge related to user authentication and management. Larger
companies have invested a lot of time and effort in improving user
productivity, compliance and security, and in cutting user management
costs. They have done so using technologies like single sign-on and
centralized user management. SaaS applications are now challenging
those efforts and threatening to bring them back to the situation
where every user has several different usernames and passwords and
the customers have several different user directories to maintain.
Currently there are a few common ways for SaaS providers to give users
single sign-on and/or to let customers use their internal user management
solutions to manage access to the SaaS application: (1) Identity
federation; (2) Delegated authentication; (3) Encrypted links; (4)
User directory synchronization. Identity federation, as a concept,
is exactly what is needed -- SaaS providers can offer customers single
sign-on and automated user management based on current information in
their internal user directory. Identity federation based on SAML,
WS-Federation or ADFS, however, requires each customer to invest in
and roll out software compliant with those technologies... Delegated
authentication provides users single sign-on by using an existing
logon, for instance on a corporate intranet, to generate tokens that
can be used to grant access to a SaaS application. However, delegated
authentication does not bring any help to maintenance of user profiles
and access rights, which still have to be maintained manually in the
application. It also requires time and technical resources by the
customer... Google Analytics, the SaaS application for monitoring web
site usage, offers a different and interesting view to the problem.
Each Analytics customer needs to integrate Analytics with its web site
in order to be able to collect and monitor usage statistics. By
choosing a scripting integration model requiring only a few lines of
JavaScript on the web pages, Google managed to lower the requirements
on the customers' web sites and the technical skills required to do
the integration. As a result, they managed to get hundreds of thousands
of customers in 18 months...

RSA Conference 2008: Concordia Done, OSIS To Go

2008-04-08T04:31:00.001-07:00

The author blogs on the the Project Concordia workshop held at RSA 2008
on 2008-04-07, showing SAML 2.0/WS-Federation single sign-on from a
service provider to an identity provider, the identity provider
authenticating the user via a managed information card and sending
claims from the card to the service provider as SAML 2.0 attributes.
Note that not every combination of SAML 2.0/WS-Federation SP, IdP and
Information Card STS completely works, but enough that the approach was
proven. Slides from the "Concordia/RSA Interop Demo" describe the
products involved. OpenSSO primarily attracts enterprises interested in
deploying a web access management or federation solution using open
source tools. An Information Card RP Extension has been contributed
by Patrick Petit. The OAIS (Open Source Identity Systems) demonstration
shows the OSIS User centric identity network interoperability between
identity providers, card selectors, browsers and websites demonstrates
how users can 'click-in' to sites via self-issued and managed
information cards, or i-cards. Open ID, Higgins Identity Framework,
Microsoft CardSpace, SAML, WSTrust, Kerberos and X.509 components
interoperate within an identity layer from open-source parts...

Concordia Project Demonstrates Multi-Protocol Interoperability

2008-04-08T04:30:00.001-07:00

The Concordia Project, a global cross-industry initiative formed by
members of the identity community to drive harmonization and
interoperability among identity initiatives and protocols, announced
its first interoperability event taking place at RSA Conference 2008
in San Francisco on Monday, April 7 from 9:00am - 12:30pm. The event
will include FuGen Solutions, Internet2, Microsoft, Oracle, Ping
Identity, Sun Microsystems and Symlabs demonstrating varying
interoperability scenarios using Information Card, Liberty Alliance,
and WS-* identity protocols. Over 500 RSA Conference participants have
registered to attend the Concordia Project interoperability event to
date. The April 7 demonstrations have been developed to meet use case
scenarios presented to the Concordia Project by enterprise, education
and government organizations deploying digital identity management
systems and requiring multi-protocol interoperability of identity
specifications. Since the formal launch of the Concordia Project in
June of 2007, deployer use case scenarios involving Information Card,
Liberty Alliance and WS-* identity protocols have been presented by
AOL, the Government of British Columbia, Boeing, Chevron, General
Motors, Internet2, theNew Zealand State Services Commission, the US
GSA and the University of Washington. Concordia members decided
collectively on what interoperability demonstrations should be developed
first based on identity management commonalities and priorities
identified by the majority of deploying organizations. During the RSA
Conference event, Concordia members will demonstrate multi-protocol
interoperability based on two of the fourteen use case scenarios
submitted to the project to date. The first includes Oracle, Internet2,
FuGen Solutions, Microsoft, Ping Identity, Sun Microsystems and Symlabs
and is characterized by a user authenticating to an identity provider
(IdP) using an InfoCard and communicating that authentication to a
relying party through either SAML 2.0 or WS-Federation protocols. The
second includes Internet2, Oracle, Sun Microsystems and Symlabs
demonstrating SSO flow between chained SAML and WS-Federation protocols.

XACML Interoperability Demo for Health Care Scenario

2008-04-08T04:29:00.002-07:00

At the RSA 2008 Conference, members of the OASIS open standards
consortium, in cooperation with the Health Information Technologies
Standards Panel (HITSP), demonstrated interoperability of the
Extensible Access Control Markup Language (XACML) version 2.0.
Simulating a real world scenario provided by the U.S. Department of
Veterans Affairs, the demo showed how XACML ensures successful
authorization decision requests and the exchange of authorization
policies. The XACML Interop at the RSA 2008 conference utilizes
requirements from Health Level Seven (HL7), ASTM International, and
the American National Standards Institute (ANSI). The demo features
role-based access control (RBAC), privacy protections, structured
and functional roles, consent codes, emergency overrides and filtering
of sensitive data. Vendors show how XACML obligations can provide
capabilities in the policy decision making process. The use of XACML
obligations and identity providers using the Security Assertion
Markup Language (SAML) are also highlighted. According to the
ANSI/HITSP announcement, the multi-vendor demonstrations "highlight
the use of OASIS standards in HITSP-approved guidelines, known as
'constructs,' to meet healthcare security and privacy needs. The
Panel's security and privacy specifications address common data
protection issues in a broad range of subject areas, including
electronic delivery of lab results to a clinician, medication workflow
for providers and patients, quality, and consumer empowerment. HITSP
is a multi-stakeholder coordinating body designed to provide the
process within which affected parties can identify, select, and
harmonize standards for communicating health care information throughout
the health care spectrum. As mandated by the U.S. Department of Health
and Human Services (HHS), the Panel's work supports Use Cases defined
by the American Heath Information Community (AHIC). 'This is the first
time the RSA Conference will highlight in an Interop demo the healthcare
scenario, the Electronic Health Records (EHR), and associated
interoperable terminologies of clinical roles, patient consent
directives, obligations, and business logic,' said John (Mike) Davis,
standards architect with the VHA Office of Information in the Department
of Veterans Affairs, and a member of the HITSP Security, Privacy and
Infrastructure Technical Committee."

Web Security Context: Experience, Indicators, and Trust

2008-04-08T04:29:00.001-07:00

Members of the W3C Web Security Context Working Group have published
a revised version of the Working Draft specification "Web Security
Context: Experience, Indicators, and Trust." It defines guidelines
and requirements for the presentation and communication of Web security
context information to end-users; and good practices for Web Site
authors. To facilitate access to relevant background, various sections
of this document are annotated with references to input documents that
are available from the Working Group's Wiki, and to pertinent issues
that the group is tracking. The documents in the wiki include background,
motivation, and usability concerns on the proposals that reference them.
They provide important context for understanding the potential utility
of the proposals. The W3C Web Security Context Working Group focuses on
the challenges that arise when users encounter currently deployed
security technology, such as TLS: While this technology achieves its
goals on a technical level, attackers' strategies shift towards
bypassing the security technology instead of breaking it. When users
do not understand the security context in which they operate, then it
becomes easy to deceive and defraud them.

XML Schema for Media Control

2008-04-08T04:28:00.003-07:00

IETF announced that a new Request for Comments "XML Schema for Media
Control" is now available in online RFC libraries. The specification
has been produced by members of the IETF Multiparty Multimedia Session
Control (MMUSIC) Working Group. The RFC 5168 document defines an
Extensible Markup Language (XML) Schema for video fast update in a
tightly controlled environment, developed by Microsoft, Polycom,
Radvision and used by multiple vendors. This document describes a
method that has been deployed in Session Initiation Protocol (SIP)
based systems over the last three years and is being used across
real-time interactive applications from different vendors in an
interoperable manner. New implementations are discouraged from using
the method described except for backward compatibility purposes. New
implementations are required to use the new Full Intra Request command
in the RTP Control Protocol (RTCP) channel. The Multiparty MUltimedia
SessIon Control (MMUSIC) Working Group was chartered to develop
protocols to support Internet teleconferencing and multimedia
communications. These protocols are now reasonably mature, and many
have received widespread deployment. The group is now focussed on
the revisions of these protocols in the light of implementation
experience and additional demands that have arisen from other WGs
(such as AVT, SIP, SIPPING, and MEGACO)... The MMUSIC work items
are pursued in close coordination with other IETF WGs related to
multimedia conferencing and IP telephony (AVT, SIP, SIPPING, SIMPLE,
XCON, MEGACO and, where appropriate, MIDCOM and NSIS).

Unicode Consortium Announces Release of Unicode Standard Version 5.1

2008-04-08T04:28:00.001-07:00

The Unicode Consortium has announced the release of Unicode Version 5.1,
containing over 100,000 characters, and provides significant additions
and improvements that extend text processing for software worldwide.
Some of the key features are: increased security in data exchange,
significant character additions for Indic and South East Asian scripts,
expanded identifier specifications for Indic and Arabic scripts,
improvements in the processing of Tamil and other Indic scripts,
linebreaking conformance relaxation for HTML and other protocols,
strengthened normalization stability, new case pair stability, plus
others given below. The Version 5.1.0 data files and documentation are
final and posted on the Unicode site. In addition to updated existing
files, implementers will find new test data files (for example, for
linebreaking) and new XML data files that encapsulate all of the Unicode
character properties. A major feature of Unicode 5.1.0 is the enabling
of ideographic variation sequences. These sequences allow standardized
representation of glyphic variants needed for Japanese, Chinese, and
Korean text. Unicode 5.1 contains significant changes to properties and
behaviorial specifications. Several important property definitions were
extended, improving linebreaking for Polish and Portuguese hyphenation.
The Unicode Text Segmentation Algorithms, covering sentences, words,
and characters, were greatly enhanced to improve the processing of Tamil
and other Indic languages. The Unicode Normalization Algorithm now
defines stabilized strings and provides guidelines for buffering.
Standardized named sequences are added for Lithuanian, and provisional
named sequences for Tamil. Unicode 5.1.0 adds 1,624 newly encoded
characters. These additions include characters required for Malayalam
and Myanmar and important individual characters such as Latin capital
sharp s for German. Version 5.1 extends support for languages in Africa,
India, Indonesia, Myanmar, and Vietnam, with the addition of the Cham,
Lepcha, Ol Chiki, Rejang, Saurashtra, Sundanese, and Vai scripts. The
Unicode Collation Algorithm (UCA), the core standard for sorting all
text, is also being updated at the same time. The major changes in UCA
include coverage of all Unicode 5.1 characters, tightened conformance
for canonical equivalence, clearer definitions of internationalized
search and matching, specifications of parameters for customizing
collation, and definitions of collation folding. The next version of
the Unicode locale project (CLDR) is also being prepared on the basis
of Unicode 5.1, and is now open for public data submission.

IONA Becomes Silver Sponsor of the Apache Software Foundation

2008-04-03T06:07:00.001-07:00

IONA announced that it has become a Silver Sponsor of The Apache Software
Foundation. The Apache Software Foundation (ASF) is a non-profit
corporation dedicated to consensus-based, collaborative software
development. Financial sponsorship will help ASF to acquire servers and
hardware infrastructure, purchase bandwidth and needed resources, and
increase awareness of ASF projects and incubating initiatives. IONA's
commitment to Open Source software is an integral part of its 15-year
heritage. With a high degree of Open Source community involvement, IONA
supports the efforts of its developers who are members and contributors
to a number of ASF projects. Aiding the efforts for increased adoption
of Open Source SOA, IONA developers play key roles in the Apache
ActiveMQ project, the Apache ServiceMix project, the CXF project in
the Apache Incubator, and the Apache Camel project, a sub-project of
ActiveMQ. IONA's distributed, Open Source SOA infrastructure solutions,
FUSE Message Broker, FUSE ESB, FUSE Services Framework and FUSE Mediation
Router, are built on code developed in those ASF projects and are
distributed under the terms of the Apache License 2.0. IONA provides
professional support, consulting and training for enterprise customers
looking to deploy this Open Source SOA technology in their mission-critical
business applications. IONA also recently announced the launch of Artix
Connect for WCF (Windows Communication Foundation). Artix Connect for
WCF enables Global 2000 customers to optimize their investments in
Microsoft technology and seamlessly extend connectivity with legacy
applications from within the Microsoft Visual Studio development
environment. By wrapping back-office legacy systems behind
standards-based Web Services Description Language (WSDL) interfaces,
Artix Connect for WCF allows the .NET developer to connect with Java
or CORBA without the need for custom adapters or new code generation.
The product enables companies to leverage existing investments in Java,
CORBA, and more, without leaving the Microsoft Visual Studio development
environment or requiring additional skills. Artix Data Services, a
component of IONA's Artix family of advanced SOA infrastructure products,
offers the broadest support for financial services standards, message
types and validation rules, including SWIFT, SEPA, FpML, TWIST, ISO
20022, CREST and FIX, with the ability to model any data format for
complete compliance.

Facebook Meets .Net

2008-04-03T06:06:00.001-07:00

Facebook is a popular social network site and a destination for
application developers, but developers need to learn its peculiarities,
according to a VSLive conference presentation in San Francisco.
Development on Facebook is more like embedded development rather than
normal Web development, said speaker Jeffrey McManus, CEO of Platform
Associates, a consulting firm. Facebook is a platform featuring a
collection of technologies enabling developers to create applications
that incorporate Facebook data. This could include applications, for
example, that make Web services calls to Facebook and applications
that can run within Facebook. Technologies for developing applications
in Facebook include FBML (Facebook Markup Language) and IFrame, an HTML
construct that opens a hole in a page enabling display of another page
inside of it, according to McManus. Also factored into the equation is
Facbook.Net, a .Net library that wraps Web services and handles
authentication and other elements. Silverlight, Microsoft's new
multimedia presentation technology, also can be supported in Facebook
using FBML.

OASIS Open Reputation Management Systems (ORMS) Technical Committee

2008-04-03T06:05:00.004-07:00

OASIS recently announced the formation of a new technical committee to
make it easier to validate the trustworthiness of businesses, projects,
and people working and socializing in electronic communities. The OASIS
Open Reputation Management Systems (ORMS) Technical Committee will
define common data formats for consistently and reliably representing
reputation scores. ORMS will be relevant for a variety of applications
including validating the trustworthiness of sellers and buyers in online
auctions, detecting free riders in peer-to-peer networks, and helping
to ensure the authenticity of signature keys in a web of trust. ORMS
will also help enable smarter searching of web sites, blogs, events,
products, companies, and individuals. Because the majority of existing
on-line rating, scoring and reputation mechanisms have been developed
by private companies using proprietary schemas, there is currently no
common method to query, store, aggregate, or verify claims between
systems. The different sources of reputation data -- user feedback
channels (product ratings, comment forms), online user profiles, etc. --
are each uniquely susceptible to bad actors, manipulation of data for
specific purposes, and spammers. ORMS will not attempt to define
algorithms for computing reputation scores. Instead, the OASIS Committee
will provide the means for understanding the relevancy of a score within
a given context.

Open Web SSO Project - Build 4

2008-04-03T06:05:00.003-07:00

Developer blogs from the OpenSSO Project announce the release of OpenSSO
Version 1 Build 4. The Open Web SSO project (OpenSSO) provides core
identity services to simplify the implementation of transparent single
sign-on (SSO) as a security component in a network infrastructure.
OpenSSO provides the foundation for integrating diverse web applications
that might typically operate against a disparate set of identity
repositories and are hosted on a variety of platforms such as web and
application servers. This project is based on the code base of Sun Java
System Access Manager, a core identity infrastructure product offered
by Sun Microsystems. The objectives of the OpenSSO project are to provide
open access to an identity infrastructure source code; to enable
innovation to build the next generation of open network identity
services; and to establish open XML-based file formats and
language-independent component application programming interfaces (APIs).
New in OpenSSO Build 4, according to Pat Patterson's blog: (1) New
OpenSSO configurator; the developers request feedback on the new
configuration UI, via the project mailing lists; (2) WS-Trust Security
Token Service (STS) is available on Glassfish, Sun Application Server,
Sun Web Server, Geronimo, Tomcat and WebSphere; we've done a lot of
trickery with classloaders to get this working across a wide range of
containers... still working on support in Oracle Application Server,
JBoss and WebLogic Server; (3) Simplified STS client sample; (4)
Configuration and/or user store replication across multiple OpenSSO
instances where the embedded instance of OpenDS is in use; (5)
Security/SSL related fixes; (6) General bug fixes in all areas." Note:
OpenDS is an open source community project building a free and
comprehensive next generation directory service. OpenDS is designed
to address large deployments, to provide high performance, to be
highly extensible, and to be easy to deploy, manage and monitor. The
directory service includes not only the Directory Server, but also
other essential directory-related services like directory proxy,
virtual directory, namespace distribution and data synchronization.
Initial development of OpenDS was done by Sun Microsystems, but is
now available under the open source Common Development and Distribution
License (CDDL).

Using the Eclipse BPEL Plug-In for WS-BPEL V2.0 Business Processes

2008-04-03T06:05:00.001-07:00

BPEL V2.0 is a powerful language intended to help in development of huge,
complex applications consisting of a lot of other components and Web
services. The BPEL vendor-neutral specification was developed by OASIS
to specify business processes as a set of interactions between Web
services. BPEL allows you to describe long-running workflows using
graphical editors to present workflows on human-friendly diagrams.
The Apache Foundation calls its implementation of the Web Services
Business Process Execution Language (WS-BPEL) V2.0 the Orchestration
Director Engine (ODE). ODE executes WS-BPEL processes, which are capable
of communicating with Web services, sending and receiving messages, etc.
The Eclipse BPEL project is a related open source project that provides
an Eclipse plug-in for the visual development of WS-BPEL V2.0 processes.
This article examines ODE V1.1 and the Eclipse BPEL project milestone M3,
describing how to create your own BPEL process and integrate it into
your application. Summary from the ODE web site: "WS-BPEL is an XML-based
language defining several constructs to write business processes. It
defines a set of basic control structures like conditions or loops as
well as elements to invoke web services and receive messages from
services. It relies on WSDL to express web services interfaces. Message
structures can be manipulated, assigning parts or the whole of them to
variables that can in turn be used to send other messages. Apache ODE
(Orchestration Director Engine) executes business processes written
following the WS-BPEL standard. It talks to web services, sending and
receiving messages, handling data manipulation and error recovery as
described by your process definition. It supports both long and short
living process executions to orchestrate all the services that are part
of your application."

Approval of ISO/IEC DIS 29500 as an International Standard

2008-04-03T06:04:00.000-07:00

"'ISO/IEC DIS 29500, Information technology -- Office Open XML File
Formats', has received the necessary number of votes for approval as
an ISO/IEC International Standard... The Ballot Resolution Meeting
(BRM) was held in Geneva during the week 25-29 February 2008. By
eliminating redundancies, the comments had been reduced to just over
1,000 individual issues to be considered. Issues considered as
priorities by national members (such as accessibility, date formats,
conformance issues) were discussed, and the other comments were
addressed through a voting process on the remaining items, a system
agreed by the BRM participants. The issues addressed and revised have
resulted in sufficient national bodies withdrawing their earlier
disapproval votes, or transforming them into positive votes, so that
the criteria for approval of the document as an International Standard
have now been met. Subject to there being no formal appeals from ISO/IEC
national bodies in the next two months, the International Standard
will accordingly proceed to publication. ISO/IEC 29500 is a standard
for word-processing documents, presentations and spreadsheets that is
intended to be implemented by multiple applications on multiple
platforms. According to the submitters of the document, one of its
objectives is to ensure the long-term preservation of documents created
over the last two decades using programmes that are becoming incompatible
with continuing advances in the field of information technology. ISO/IEC
DIS 29500 was originally developed as the Office Open XML Specification
by Microsoft Corporation which submitted it to Ecma International, an
information technology industry association, for transposing into an
ECMA standard. Following a process in which other IT industry players
participated, Ecma International subsequently published the document
as ECMA standard 376. Ecma International then submitted the standard
in December 2006 to ISO/IEC JTC 1, with whom it has category A liaison
status, for adoption as an International Standard under the JTC 1 "fast
track" procedure. This allows a standard developed within the IT industry
to be presented to JTC 1 as a draft international standard (DIS) that
can be adopted after a process of review and balloting. This process
has now been concluded with the end of the 30-day period following the
ballot resolution meeting. The process was open to the IEC and ISO
national member bodies from 104 countries, including 41 that are
participating members of the joint ISO/IEC JTC 1."

Effective, Agile, and Connective

2008-04-02T06:51:00.001-07:00

Composite applications built from predefined enterprise services form
the core of enterprise service-oriented architecture (enterprise SOA).
Ultimately the goal of enterprise SOA is composition of any service
implemented on any technology by any business partner anywhere in the
world. Open, standards-based technology is a key factor in achieving
this level of interoperability -- similar to plugging a telephone into
the wall. Some of the standards needed relate to the technology used
to implement enterprise SOA, while others define business semantics
and the languages used to describe them... In enterprise SOA, business
semantics consist of definitions of enterprise services and business
processes. These definitions must be described in a manner that allows
the technology layer of the architecture to use them to good effect.
There are three types of definition languages, for processes, service
interfaces, and message content. Process definition languages define
the sequence and conditions in which the steps in a business process
occur. With machine-readable definitions, a business process platform
can ensure that the steps are followed correctly. The need for this
ability is related to the way businesses work -- reacting to an event
with an activity. An event can be almost anything -- contact with a
customer or supplier or reception of an order or an invoice. Enterprises
need a way to describe -- clearly and unambiguously -- how the events
that occur relate to activities in the business. The most important
standard for defining processes is Business Process Modeling Notation
(BPMN). It provides a business-oriented, graphical way of identifying
events and describing activities in easy-to-understand diagrams.
Process definition is a critically important area for enterprise SOA,
and BPMN delivers good business value... Message definition languages
are used to define the structure and content of the data that an
enterprise service sends, receives, or consumes. For example, they
define that the same field always has the same name in all messages.
The languages also describe how to combine fields into larger structures,
how to specialize or extend fields and messages to meet specific needs,
and how to represent the message as an XML schema, for example. [A]
leading standard language for message definition is the UN/CEFACT Core
Components Technical Specification (CCTS). UN/CEFACT is the organization
that also developed the international version of EDI. CCTS provides a
rigorous methodology for defining data unambiguously and includes
rules about how to convert language-neutral definitions into XML. Clear,
consistent definitions of the messages used by enterprise services
deliver business value.

DMTF Chairman: New Possibilities in FY 2008

2008-04-02T06:49:00.000-07:00

DMTF Chairman Mike Baskey provides an update on Distributed Management
Task Force activities: "During the past year, we've continued to
streamline the processes both within our organization and in our work
with alliance partners. We are also developing a Conformance Program
that will enable customers to test conformance with the set of standards
that DMTF and our alliance partners are defining. Moreover, we expect
to launch several key initiatives this fiscal year. In addition to the
great work within the System Virtualization, Partitioning, and Clustering
(SVPC) working group around models and profiles, we expect to publish
the Open Virtualization Format ( OVF) specification for virtual appliances.
Another DMTF initiative focuses on federation of CMDBs (configuration
management databases); we expect a preliminary release of the CMDBf
standard this year as well. The CMDBf work within DMTF will connect our
organization to the Information Technology Infrastructure Library (ITIL)
and related process management space to increase the relevance of the
work we do in this area. A third DMTF initiative involves power and
energy management and ties into our collaborative work with The Green
Grid. This important development will improve energy efficiency in the
data center, which has great social significance as we wrestle with
the challenges in that domain... DMTF will also continue to make
significant strides in the areas of server and desktop management --
particularly in the integration of Web services into those and other
related device management initiatives. In addition, a greater degree
of interoperability and conformance testing/certification will become
a reality in this coming year -- a very exciting milestone for our
organization. We're also moving forward in getting more of the DMTF
specifications submitted to the International Standards Organization
(ISO), an increasingly important requirement as we expand our role in
the world of international standards and our industry ecosystem..."

Semantic Web in the News

2008-04-02T06:48:00.001-07:00

The Semantic Web has been in the news a bit recently. There was the
buzz about Twine, a "Semantic Web company", getting another round of
funding. Then, Yahoo announced that it will pick up Semantic Web
information from the Web, and use it to enhance search... Text search
engines are of course good for searching the text in documents, but
the Semantic Web isn't text documents, it is data. It isn't obvious
what the killer apps will be -- there are many contenders. We know
that the sort of query you do on data is different: the SPARQL standard
defines a query protocol which allows application builders to query
remote data stores. So that is one sort of query on data which is
different from text search. One thing to always remember is that the
Web of the future will have BOTH documents and data. The Semantic Web
will not supersede the current Web. They will coexist. The techniques
for searching and surfing the different aspects will be different but
will connect. Text search engines don't have to go out of fashion...
The Media Standards Trust is a group which has been working with the
Web Science Research Initiative [...] to develop ways of encoding the
standards of reporting a piece of information purports to meet: "This
is an eye-witness report"; or "This photo has not been massaged apart
from: cropping"; or "The author of the report has no commercial
connection with any products described"; and so on. Like Creative
Commons, which lets you mark your work with a licence, the project
involves representing social dimensions of information. And it is
another Semantic Web application. In all this Semantic Web news, though,
the proof of the pudding is in the eating. The benefit of the Semantic
Web is that data may be re-used in ways unexpected by the original
publisher. That is the value added. So when a Semantic Web start-up
either feeds data to others who reuse it in interesting ways, or itself
uses data produced by others, then we start to see the value of each
bit increased through the network effect.

Tim Berners-Lee and Distinguished Faculty to Present at LinkedData Planet

2008-04-02T06:47:00.002-07:00

Ken North has provided updated information about the summer LinkedData
Planet Conference. Sir Tim Berners-Lee, Director of the W3C, will deliver
a keynote and a distinguished faculty will deliver a content-rich technical
program at in New York City (June 17-18, 2008). Besides the keynote, there
will be a Linked Data Workshop and a Power Panel. The conference is
co-chaired by Bob DuCharme and Ken North The evolution of the current Web
of "linked documents" to a Web of "linked data" is steadily gaining
mindshare among developers, architects, systems integrations, users, and
the more than 200 software companies developing semantic web-oriented
solutions. Organizations such as Adobe, Google, OpenLink Software, Oracle,
the W3C, and the grassroots Linking Open Data community have actively
provided technology and thought leadership during the embryonic stages of
this evolutionary transition. Notable examples on the Web today include,
DBpedia, the Zoominfo search engine, the Bambora travel recommendation
site, a number of social networking sites, numerous semantic web
technology-based services, various linked data browsers, SPARQL query
language and protocol-compliant data servers and data management systems,
and a growing number of web sites exposing machine-readable data using
microformats, RDFa, and GRDDL. The LinkedData Planet audience will include
system architects, enterprise architects, web site designers, software
developers, consultants and technical managers, all looking to learn more
about linking the growing collection of available data sources and
technologies to get more value from their data for their organizations.

Finding the Right ID

2008-04-02T06:47:00.001-07:00

As Microsoft looks to advance its interoperability initiative, CardSpace
(the company's identity-management framework) promises to play a key
role in providing authentication between Windows and .NET-based
applications on the one end, and the Web, open source technology and
other key enterprise software platforms on the other. Microsoft lowered
a key barrier by adding support for the recently upgraded industry
standard OpenID specification into its CardSpace client identity-management
framework. Still, it could be some time before developers are called on
to use OpenID and CardSpace for cross-platform enterprise applications.
CardSpace is a key component of Microsoft's .NET Framework 3.5 and is
supported in Internet Explorer 7 and Windows. It's built largely on
Microsoft Windows Communication Foundation (WCF), serving as the
identity provider. While OpenID provides single sign-on to social
networking sites and blogs -- letting users log in one time to employ
a public persona across multiple sites -- it's not robust enough to
support government applications, casual Web surfing, financial
transactions or private data access. Microsoft's Chief Identity Architect
Kim Cameron has said in his Identity Weblog that the company is
interested in OpenID as part of a spectrum of solutions. But Cameron
has written that unlike redirection protocols such as SAML, WS-Federation
and OpenID, CardSpace limits the amount of personal information users
need to give out, making Web surfing more secure. Microsoft describes
CardSpace as an identity selector -- the user creates self-issued cards
and associates a limited set of identity data with each. The CardSpace
user interface is security-hardened, and the user decides what
information will be provided.