XML Daily Newslink. Tuesday, 13 February 2007

[Robin Cover <robin@oasis-open.org>]

XML Daily Newslink. Tuesday, 13 February 2007
A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS http://www.oasis-open.org
Edited by Robin Cover

====================================================

This issue of XML Daily Newslink is sponsored by
SAP AG  http://www.sap.com

====================================================

HEADLINES:

* Public Review for WS-ReliableMessaging, WS-RM Policy, WS-MakeConnection
* Ten Predictions for XML in 2007
* BEA WebLogic 10 Preview Gets Java Certified
* Sun Pairs Unix with Open-Source Solaris + AMP Stack: SAMP
* An Integrated Approach to Federated Identity and Privilege Management
  in Open Systems
* Dynamic Symmetric Key Provisioning Protocol
* Trucking Firm Turns to RFID to Fill Black Hole

----------------------------------------------------------------------

Public Review for WS-ReliableMessaging, WS-RM Policy, WS-MakeConnection
WS-RX TC Members, Public Review Drafts

Members of the OASIS Web Services Reliable Exchange (WS-RX) TC have
released a specification set for 15-day public review. WS-RX TC Chairs
are Paul Fremantle and Sanjay Patil; the document editors include Doug
Davis (IBM), Anish Karmarkar (Oracle), Gilbert Pilz (BEA), Steve Winkler
(SAP) and Umit Yalcinalp (SAP). [1] "Web Services Reliable Messaging
(WS-ReliableMessaging) 1.1" describes a protocol that allows messages
to be transferred reliably between nodes implementing this protocol in
the presence of software component, system, or network failures. The
primary goal of the specification is to create a modular mechanism for
reliable transfer of messages. It defines a messaging protocol to
identify, track, and manage the reliable transfer of messages between
a source and a destination. It also defines a SOAP binding that is
required for interoperability, and additional bindings can be defined.
[2] The "Web Services ReliableMessaging Policy Assertion (WS-RM Policy)
1.1" specification defines a domain-specific policy assertion for
reliable messaging for use with WS-Policy and WS-ReliableMessaging.
[3] "Web Services Make Connection (WS-MakeConnection) 1.0" was created
by extracting content from Section 10 of an earlier draft of the
principal WS-RM specification.  The primary goal of WS-MakeConnection
is to create a mechanism for the transfer of messages between two
endpoints when the sending endpoint is unable to initiate a new
connection to the receiving endpoint. It defines a mechanism to
uniquely identify non-addressable endpoints, and a mechanism by which
messages destined for those endpoints can be delivered. This mechanism
is extensible allowing additional functionality, such as security, to
be tightly integrated. WS-MakeConnection integrates with and
complements the WS-ReliableMessaging (WS-RM), WS-Security, WS-Policy,
and other Web services specifications. Combined, these allow for a
broad range of reliable, secure messaging options. By using the XML,
SOAP, and WSDL extensibility models, these WS* specifications are
designed to be composed with each other to provide a rich Web services
environment.

http://docs.oasis-open.org/ws-rx/wsrm/200702/wsrm-1.1-spec-cd-05.html
See also WS-MakeConnection: http://docs.oasis-open.org/ws-rx/wsmc/200702/wsmc-1.0-spec-cd-01.html

----------------------------------------------------------------------

Ten Predictions for XML in 2007
Elliotte Rusty Harold, IBM developerWorks

2007 is shaping up to be the most exciting year since the community
drove off the XML highway into the Web services swamp half a decade
ago. XQuery, Atom, Atom Publishing Protocol (APP), XProc, and GRRDL
are all promising new power. If I had to choose one big story for
next year, it would be the Atom Publishing Protocol (APP). APP started
out as a standard way to post blog entries, but it's turning into
much, much more. APP and Atom stand ready to do for Web authoring what
the Hypertext Transfer Protocol (HTTP) and Hypertext Markup Language
(HTML) did for Web browsing. Tim Berners-Lee always meant the Web to
be a read-write medium, but it didn't work out that way. Only the
publishing/reading half of the system has been in place for the last
15 years. Writing happened using severely limited HTML forms or non-HTTP
methods like File Transfer Protocol (FTP). APP defines a standard means
of publishing new content that all servers can implement. Independent
software vendors can write their own authoring tools that talk to APP
services on the different servers. You'll finally be able to use full-
blown editors like Word or Emacs to write Web content, rather than the
limited tools you find in a browser. Uploading content can become as
simple as saving a file on the local hard drive is today. APP is the
first major protocol to be based on Representational State Transfer
(REST), the architecture of the Web. Most systems to date have only
used a subset of HTTP, usually GET and POST but not PUT or DELETE. Many
systems like SOAP and Web-based Distributed Authoring and Versioning
(WebDAV) have been actively contradictory to the design of HTTP. APP,
by contrast, is working with HTTP rather than against it. If I'm right,
and APP takes off, then this will have a couple of important
consequences. First, APP will be a nice example that shows people how
to design new systems RESTfully. Second, it will force a lot of naive
firewalls and proxy servers to be reconfigured to allow PUT and DELETE
to pass through, along with POST and GET. This should help eliminate
the need to tunnel everything through POST, and make other RESTful apps
a lot more plausible.

http://www-128.ibm.com/developerworks/xml/library/x-xml2007predictions.html
See also Atom references: http://xml.coverpages.org/atom.html

----------------------------------------------------------------------

BEA WebLogic 10 Preview Gets Java Certified
Staff Writer, Computer Business Review Online

The second technology preview of BEA Systems Inc's next appserver
offering, WebLogic Server 10, is now available for download. More
importantly, it's gotten Java EE 5 certified. That puts it in the
queue, behind Sun, SAP NetWeaver, and Tmax Soft Inc (a South Korean
vendor), which have the only production-certified versions, and Red
Hat's JBoss, which has a certified version in beta. The obvious big
piece is support of Enterprise Java Beans (EJB) 3.0, which is a kinder,
gentler remake of what has been a highly complex distributed component
stack. And consistent with what BEA terms its "blended source" strategy,
it also natively supports open source deviants, like JPA (Java
Persistence API) and JDO (Java Data Objects) that came from the
SolarMetric Kodo acquisition. Other highlights of Java EE 5 support
include the web services extensions, including Java API for XML-based
web services 2.0, and Java Architecture for XML Binding 2.0. Related
to that, WebLogic Server 10 adds support of some of the latest OASIS
web services security standards, including WS-SecureConversations
1.3; WS-Security 1.1; WS-Security 1.1; WS-SecurityPolicy 1.2 and 1.3;
and WS-Trust 1.3.

http://www.cbronline.com/article_news.asp?guid=6EB4C45E-3F96-4733-A1C6-03A8970E4E76

----------------------------------------------------------------------

Sun Pairs Unix with Open-Source Solaris + AMP Stack: SAMP
Paul Krill, InfoWorld

You've heard of LAMP, the popular open-source infrastructure stack
featuring the Linux operating system, the Apache Web server, MySQL's
database, and the Perl, Python and PHP (Hypertext Preprocessor)
scripting languages. Sun plans to spotlight a variation on that
mixture, replacing Linux with its own Solaris Unix OS as part of its
Solaris + AMP, or SAMP, stack for building Web applications. Featured
in Sun's rollout on Tuesday are versions of the open-source AMP
components optimized for the Solaris 10 OS plus Sun developer tools.
The Solaris + AMP unveiling is part of a multifaceted announcement
of free development offerings to debut on Tuesday with Sun hoping to
sell support as a way to generate revenues. While stressing that Sun
was not trying to compete with LAMP itself, Dan Roberts, Sun's
director of developer tools marketing, did note that Sun believes
its Solaris platform presents a viable competitor to Linux. Developers
can build to Apache, MySQL, and the scripting languages but deploy
their applications on Solaris or the open-source variant, OpenSolaris,
to get advantages such as reliability and security. The company is
featuring the PostgreSQL object-relational database as part of the
stack along with MySQL. Sun tools and other open-source technologies
also are included, and step-by-step instructions on deploying the
stack are offered.  In the Solaris Express, Developer Edition, an
integrated environment for developing applications for Solaris, Java,
and Web 2.0 is featured, and a simplified install mechanism is part
of the package. Also included is an improved Gnome-based desktop and
Sun development tools, including Sun Studio 11 and the NetBeans 5.5
IDE. Sun is packaging more than 150 open-source applications with
Solaris Express, Developer Edition. The Glassfish application server
is featured as well.

http://www.infoworld.com/article/07/02/12/HNsamp_1.html
See also the Sun announcement: http://www.sun.com/aboutsun/pr/2007-02/sunflash.20070213.1.xml

----------------------------------------------------------------------

An Integrated Approach to Federated Identity and Privilege Management
in Open Systems
R. Bhatti, E. Bertino, and A. Ghafoor; Communications of the ACM

Online partnerships depend on federations of not only user identities
but also of user entitlements across organizational boundaries... Here,
we discuss the shortcomings of federated identity mechanisms and their
integration with privilege management mechanisms. We also present an
integrated approach to federated identity and privilege management
specifically designed for Web-based platforms. A basic requirement
our authorization model must satisfy is suitability to Web-based
applications. To do so, we chose X-GTRBAC as the access control
specification language; it has been shown to be effective in enabling
access control in dynamic Web-service applications due to its XML-based
modular and flexible context-aware policy specification. The central
idea is that the X-GTRBAC system uses credentials supplied by users
to assign them to roles, or authentication, subject to assignment
constraints. Users might subsequently access resources according to
their role memberships, or authorization, subject to access
constraints... Our X-GTRBAC-based specification provides one,
designed to accept SAML-encoded assertions as a form of credential.
Using a SAML profile in the X-GTRBAC system requires a translation
from SAML encoding to the X-GTRBAC format, and vice versa, using
Extensible Stylesheet Language Transformations, a standard for syntax-
oriented XML document transformation. This framework is a novel attempt
to address the identity and entitlement federation issues we've
discussed here. It integrates two security standards (RBAC and SAML)
in order to create an access-management specification for open
systems. It complements other efforts in this direction aimed at
allowing interoperable access management using standard protocols.
Our grammar specification supports federated identity and privilege
management while meeting the requirements we've outlined. Future
challenges include integrating our specification with existing
directory schemes to support property-based credentials, trust
negotiation protocols for incremental attribute collection, and state
information for anonymous users to ensure proper accountability.

http://xml.coverpages.org/saml.html#BhattiFedIdentity

----------------------------------------------------------------------

Dynamic Symmetric Key Provisioning Protocol
Mingliang Pei and Salah Machani (eds), IETF Internet Draft

This Internet draft describes a standard client-server protocol that
enables a client device to download and install authentication
credentials from a provisioning server in a secure and efficient
manner. The prime example of such an authentication credential is a
shared secret for One-Time-Password (OTP) software token in a device.
The protocol is for dynamic provisioning of shared secret to a user
device; it is not a bulk provisioning protocol that transfers token
records from a provisioning server to an authentication system. This
protocol will only support the provisioning of symmetric secret key
types. Asymmetric key pair provisioning isn't the purpose of this
protocol. The protocol is a web services XML-based protocol with
multiple profiles to support lightweight small footprint clients such
as smart cards, as well as more advanced device platforms such as USB
tokens and PDAs/smart phones. Existing symmetric key delivery protocols
are specific to one authentication method, or are proprietary to a
particular vendor implementation. The industry needs a simple
provisioning protocol standard to enable interoperability across
vendors and to provision multiple shared secret types. This work is
a joint effort by the members of OATH (Initiative for Open
AuTHentication) to specify a protocol that can be freely distributed
to the technical community. The authors believe that a common and
shared specification will facilitate adoption of two-factor
authentication on the Internet by enabling interoperability between
commercial and open-source implementations.

http://xml.coverpages.org/draft-pei-keyprov-dynamic-symkey-prov-protocol-00.txt
See also OATH and IETF: http://www.openauthentication.org/news/pr_07_01_31.asp

----------------------------------------------------------------------

Trucking Firm Turns to RFID to Fill Black Hole
Marc L. Songini, ComputerWorld

Horizon Lines Inc. has turned to radio frequency identification (RFID)
technology to track containers seamlessly from a Seattle distribution
center over the sea and land to their final destination in Alaska.
While containers can be monitored while in ships and trains,
historically, they vanish into black holes when being trucked on
highways. Passive RFID tags have no local power source, and must be
contacted by readers before they can transmit data, using the reader
as a source of energy, and are generally limited to a few feet in
range. To overcome the lack of highway readers, the company placed
so-called active RFID tags, which use an internal power source to
contact readers, on 5100 containers. The active tags have a range of
about 300 feet and can be read while moving at speeds of up 75 miles
per hour. The active RFID tags used were from Identec Solutions Inc.,
a U.K.-based maker of RFID systems. Also participating in the pilot
was Safeway Inc., a Pleasanton, Calif.-based retail grocer that ships
goods to its Alaska stores on Horizon trucks. Horizon officials
wouldn't disclose the amount of savings generated by the new process,
but noted that it permits a shipper to know the exact location of a
load, the time of delivery, and allow it to schedule its operations
more precisely and plan for any exceptions, delays or high priority
movements. If there are problems with a shipment delivery, such as a
truck breakdown, the customer can react accordingly.  Horizon would
like to tag every container in its entire fleet, creating supply chain
visibility all the way from Hawaii, Guam, and Puerto Rico to the
continental United States. The Horizon Services Group, he noted is
now studying methods for deploying an RFID reader network on the
highway system in the continental United States.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011214
See also RFID readings: http://xml.coverpages.org/rfid.html

----------------------------------------------------------------------

XML Daily Newslink and Cover Pages are sponsored by:

BEA Systems, Inc.         http://www.bea.com
IBM Corporation           http://www.ibm.com
Innodata Isogen           http://www.innodata-isogen.com
SAP AG                    http://www.sap.com
Sun Microsystems, Inc.    http://sun.com

----------------------------------------------------------------------

Newsletter subscribe: xml-dailynews-subscribe@lists.xml.org
Newsletter unsubscribe: xml-dailynews-unsubscribe@lists.xml.org
Newsletter help: xml-dailynews-help@lists.xml.org
Cover Pages: http://xml.coverpages.org/

----------------------------------------------------------------------