XML Daily Newslink. Friday, 22 December 2006

[Robin Cover <robin@oasis-open.org>]

XML Daily Newslink. Friday, 22 December 2006
A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS http://www.oasis-open.org
Edited by Robin Cover

====================================================

This issue of XML Daily Newslink is sponsored by
Sun Microsystems, Inc.   http://sun.com

====================================================

HEADLINES:

* Last Call: Canonical XML 1.1
* NETCONF Configuration Protocol
* The WS-Policy Story
* WS-Engineer: A Rigorous Approach to Engineering Web Service
  Compositions
* Roadmap for Accessible Rich Internet Applications (WAI-ARIA Roadmap)
* Security Concepts, Challenges, and Design Considerations for Web
  Services Integration
* A Conversation with John Hennessy and David Patterson

----------------------------------------------------------------------

Last Call: Canonical XML 1.1
John Boyer and Glenn Marcy (eds), W3C Technical Report

W3C's XML Core Working Group has published a Last Call Working Draft
for "Canonical XML 1.1". Canonical XML 1.1 is a revision to Canonical
XML 1.0 to address issues raised while producing the "xml:id"
specification. Any XML document is part of a set of XML documents that
are logically equivalent within an application context, but which vary
in physical representation based on syntactic changes permitted by "XML
1.0" and "Namespaces in XML". This specification describes a method
for generating a physical representation, the canonical form, of an XML
document that accounts for the permissible changes. Except for
limitations regarding a few unusual cases, if two documents have the
same canonical form, then the two documents are logically equivalent
within the given application context. XML canonicalization is designed
to be useful to applications that require the ability to test whether
the information content of a document or document subset has been changed.
This is done by comparing the canonical form of the original document
before application processing with the canonical form of the document
result of the application processing. For example, a digital signature
over the canonical form of an XML document or document subset would
allow the signature digest calculations to be oblivious to changes in
the original document's physical representation, provided that the
changes are defined to be logically equivalent by the XML 1.0 or
Namespaces in XML. During signature generation, the digest is computed
over the canonical form of the document. The document is then transferred
to the relying party, which validates the signature by reading the
document and computing a digest of the canonical form of the received
document. The equivalence of the digests computed by the signing and
relying parties (and hence the equivalence of the canonical forms over
which they were computed) ensures that the information content of the
document has not been altered since it was signed.

http://www.w3.org/TR/2006/WD-xml-c14n11-20061220
See also Known Issues: http://www.w3.org/TR/2006/NOTE-C14N-issues-20061220/

----------------------------------------------------------------------

NETCONF Configuration Protocol
Rob Enns (ed), IETF Network Group Proposed Standard Protocol

The IETF RFC-EDITOR announced that a new 'Request for Comments'
document is now available in online RFC libraries as RFC 4741. The
specification has been produced by members of the Network Configuration
Working Group of the IETF (NETCONF), and is now a Proposed Standard
Protocol. The Network Configuration Protocol (NETCONF) defined in this
document provides mechanisms to install, manipulate, and delete the
configuration of network devices. It uses an Extensible Markup Language
(XML)-based data encoding for the configuration data as well as the
protocol messages. The protocol allows the device to expose a full,
formal application programming interface (API). Applications can use
this straightforward API to send and receive full and partial
configuration data sets. The NETCONF protocol uses a remote procedure
call (RPC) paradigm. A client encodes an RPC in XML and sends it to a
server using a secure, connection-oriented session. The server responds
with a reply encoded in XML. The contents of both the request and the
response are fully described in XML DTDs or XML schemas, or both,
allowing both parties to recognize the syntax constraints imposed on
the exchange. A key aspect of NETCONF is that it allows the
functionality of the management protocol to closely mirror the native
functionality of the device. This reduces implementation costs and
allows timely access to new features. In addition, applications can
access both the syntactic and semantic content of the device's native
user interface.

http://xml.coverpages.org/IETF-RFC4741.txt
See also the IETF NETCONF WG Charter: http://www.ietf.org/html.charters/netconf-charter.html

----------------------------------------------------------------------

The WS-Policy Story
William Brogden, SearchWebServices.com

As the concept of XML-based "Web services" has grown from the simple
days of XML-RPC things have gotten a lot more complicated. The
pioneering developers communicated service requirements in text
documentation, sample code and user mailing lists. Then came SOAP and
more formal documentation such as WSDL and UDDI. Now the list of formal
specifications related to Web services and generated by a variety of
organizations is astonishingly long. The Web Services Policy Framework
is intended to provide a basic general purpose model and XML syntax
for describing policies related to a Web service. Policies can be
defined, not only for a given Web service, but also by potential
clients of the service. For example, your company might require that
developers only access Web services using digital signatures. WS-Policy
functions as an addition to WSDL, UDDI and other WS-* specifications.
A WS-Policy document expresses rules that may be as simple as a
requirement to use WS-Addressing in SOAP headers or as complex as
giving a list of "assertions" about alternate message signing
algorithms which the service can recognize. Essentially, WS-Policy
attempts to formalize in both machine- and human-readable form aspects
of Web service communication that might otherwise require extensive
text documentation or direct person to person communication. For me the
question is: will WS-policy prove to be the solution to the obvious
problem of helping developers coordinate all of the various
specifications related to Web services or will it join the ranks of
elegant specifications that everybody admires but few people use?

http://searchwebservices.techtarget.com/tip/0,289483,sid26_gci1235723,00.html
See also the Guidelines: http://www.w3.org/TR/2006/WD-ws-policy-guidelines-20061221

----------------------------------------------------------------------

WS-Engineer: A Rigorous Approach to Engineering Web Service Compositions
Howard Foster, XML 2006 Presentation

We believe the issues in designing complex web service compositions and
choreography can be eased by modelling the required interactions in an
accessible and concise notation which can then be used to verify and
validate not only web service workflows but choreography behaviour over
cross-domain services. This paper presents an engineering approach to
designing, implementing and maintaining web service behaviour
specifications, as XML documents, covering the current web service
standards stack. We present a rigorous approach to formally specifying,
modelling, verifying and validating the behaviour of web service
compositions with the goal of simplifying the task of designing
coordinated distributed services and their interaction requirements.
Through the use of our Eclipse plug-in tool, known simply as
'WS-Engineer', we firstly provide examples of designing service
interaction behaviour models using UML style Message Sequence Charts,
and describe how these can be used to generate XML specifications,
which are then used to generate formal models of system behaviour. Web
Service standards are used as an implementation example, with models
generated from the XML of BPEL4WS and WS-CDL, that represent web
service orchestrations and choreography respectively. Through the use
of formal model verification techniques, the behaviour specified in
these XML documents can be checked for service interaction violations
between design and implementation, between processes (as service
conversations) and by the role of the processes. Obligations analysis
considers how each service either fulfills or falls short of providing
sufficient interactions in service choreography.

http://2006.xmlconference.org/proceedings/4/presentation.pdf
See also the abstract: http://2006.xmlconference.org/programme/presentations/4.html

----------------------------------------------------------------------

Roadmap for Accessible Rich Internet Applications (WAI-ARIA Roadmap)
Richard Schwerdtfeger, R. Schwerdtfeger, J. Gunderson; W3C WD

W3C announced that its Protocols and Formats Working Group has
published updated Working Drafts for the WAI-ARIA suite of
specfications which describes accessibility of rich Web content
using interactive technologies such as AJAX and DHTML. The
Protocols and Formats Working Group (PFWG) Charter  has been updated
to allow the group to publish Recommendation-track documents.
Accordingly, WAI-ARIA Roles and States and Properties are now intended
to become W3C Recommendations; the Roadmap remains a draft Working
Group Note. The "Roadmap for Accessible Rich Internet Applications"
(WAI-ARIA Roadmap) addresses the accessibility of dynamic Web content
for people with disabilities. The roadmap outlines the technologies to
map controls, AJAX live regions, and events to accessibility APIs,
including custom controls used for Rich Internet Applications. The
roadmap also outlines new navigation techniques to mark common Web
structures as menus, primary content, secondary content, banner
information and other types of Web structures. These new technologies
can be used to improve the accessibility and usability of Web
resources by people with disabilities, without extensive modification
to existing libraries of Web resources. "Roles for Accessible Rich
Internet Applications" defines a simple way for an author to make
custom widgets (new interactive elements) accessible, usable, and
interoperable. The role attribute defined in the XHTML Role Attribute
Module is the preferred way to expose these roles in XHTML
applications. This specification provides an ontology of roles that can
be used to improve the accessibility and interoperability of Web Content
and Applications. "States and Properties Module for Accessible Rich
Internet Applications defines a syntax for adding accessible state
information and author settable properties for XML.

http://www.w3.org/TR/2006/WD-aria-roadmap-20061220/
See also the Suite Overview: http://www.w3.org/WAI/intro/aria

----------------------------------------------------------------------

Security Concepts, Challenges, and Design Considerations for Web
Services Integration
Gunnar Peterson and Howard Lipson, BuildSecurityIn

Security risks are inherent in all integration technologies. The
emergence of web services as an integration pattern presents new threats
and opportunities for a system's security. Beyond the initial hype,
where web services were viewed as a security pandemic, lie both real
risks and new security paradigms. Web services evolved after
object-oriented programming and component programming models were
already in place, but web services represent a fundamentally different
approach based on a document-oriented model designed for
interoperability at a document, typically XML, level. Hence, security
and software architects must consider message schemas, types, values,
and message exchange patterns in their designs. Standards are
increasingly important because web services can traverse organizational,
geographical, and technical boundaries. Since message exchange is a core
part of web services? architectural design, a high level of security
must be built into the messages from the outset, as well as into the
services and systems. Protecting the messages that the services and
systems operate on is a central aspect of web services security and will
be a major focus of this document. Unfortunately, this is not the only
security issue that web services developers must be concerned with, and
so guidance on other issues will be presented as well. For example,
issues of trust relating to services and systems that are not in your
direct control pervade the web services landscape and must be addressed
early in the development life cycle through security policies and
building in a monitoring capability for security violations. The central
theme of this article is that web services developers must address
security concerns as early as possible in the system development life
cycle so as to 'build security in' rather than attempt the often futile
task of patching security onto a system after security problems are
manifested in the field.

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/assembly/639.html

----------------------------------------------------------------------

A Conversation with John Hennessy and David Patterson
Kunle Olukotun (Interviewer), ACM Queue

The Berkeley-Stanford duo who wrote the book (literally) on computer
architecture here discuss current innovations and future challenges.
Excerpt: "We're really in the early stages of how we think about
[parallel computing]. If it's the case that the amount of parallelism
that programmers will have to deal with in the future will not be just
two or four processors but tens or hundreds and thousands for some
applications, then that's a very different world than where we are
today.  On the other hand, there's exciting stuff happening in software
right now. In the open source movement, there are highly productive
programming environments that are getting invented at pretty high
levels. Everybody's example is Ruby on Rails, a pretty different way
to learn how to program. This is a brave new world where you can rapidly
create an Internet service that is dealing with lots of users. In the
RAMP community, we've been thinking about how to put this in the hands
of academics. Maybe we should be putting a big RAMP box out there on
the Internet for the open source community, to let them play with a
highly scalable processor and see what ideas they can come up with. I
guess that's the right question: What can we do to engage the open
source community to get innovative people, such as the authors of Ruby
on Rails and other innovative programming environments? The parallel
solutions may not come from academia or from research labs as they
did in the past.

http://www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=445

----------------------------------------------------------------------

XML Daily Newslink and Cover Pages are sponsored by:

BEA Systems, Inc.         http://www.bea.com
IBM Corporation           http://www.ibm.com
Innodata Isogen           http://www.innodata-isogen.com
SAP AG                    http://www.sap.com
Sun Microsystems, Inc.    http://sun.com

----------------------------------------------------------------------

Newsletter subscribe: xml-dailynews-subscribe@lists.xml.org
Newsletter unsubscribe: xml-dailynews-unsubscribe@lists.xml.org
Newsletter help: xml-dailynews-help@lists.xml.org
Cover Pages: http://xml.coverpages.org/

----------------------------------------------------------------------