XML Daily Newslink. Friday, 16 March 2007

[Robin Cover <robin@oasis-open.org>]

XML Daily Newslink. Friday, 16 March 2007
A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS http://www.oasis-open.org
Edited by Robin Cover

====================================================

This issue of XML Daily Newslink is sponsored by
SAP AG  http://www.sap.com

====================================================

HEADLINES:

* W3C Call for Implementations: XML Binding Language (XBL) 2.0
* Mandatory Open Standards in Denmark
* Lightbulb is Dead: Long Live OpenSSO Extensions!
* A Phased Approach for Converting SQL-centric Applications to LINQ
* SAP Architecture: Enterprise SOA Basics
* Web Services Profile of XACML (WS-XACML)
* Entitlement Management: The Next Security Wave
* MSXML4 is Going to Be Kill Bit-ed
* Real-world IT Security Challenges: Doing Away with Passwords
* Red Hat Strikes Back With Next Generation Linux

----------------------------------------------------------------------

W3C Call for Implementations: XML Binding Language (XBL) 2.0
Ian Hickson (ed), W3C Technical Report

W3C has announced the advancement of the "XML Binding Language (XBL)
2.0" specification to the status of Candidate Recommendation. The
Working Group now encourages implementations. This specification will
remain at the Candidate Recommendation stage until two complete and
interoperable implementations exist, and will not conclude before
1-September-2007. An implementation will only be considered if it is
publicly downloadable or available through some other public point of
sale mechanism, and is intended for a wide audience and could be used
on a daily basis. To be "complete and interoperable", an implementation
must pass every test in a comprehensive test suite of every normative
requirement of this specification. Written feedback is also welcome:
the editor guarantees that all feedback sent to the above lists will
receive responses before this specification advances to the next
stage of the W3C process. While feedback is welcomed on all aspects of
this specification, especially from implementors and authors using
XBL on the Web, feedback is especially requested on two contentious
issues: (1) possible use of the global 'xml:id' attribute instead of
'id'; (2) a possible new feature to allow a script running outside the
element's bindings to get access to shadow tree or its bound element
in the absence of an explicit binding. The XML Binding Language (XBL)
describes the ability to associate elements in a document with script,
event handlers, CSS, and more complex content models, which can be
stored in another document. This can be used to re-order and wrap
content so that, for instance, simple HTML or XHTML markup can have
complex CSS styles applied without requiring that the markup be
polluted with multiple semantically neutral 'div' markup elements.
The element that the binding is attached to, called the bound element,
acquires the new behavior and presentation specified by the binding.
Bindings can contain event handlers that watch for events on the
bound element, an implementation of new methods and properties that
become accessible from the bound element, shadow content that is
inserted underneath the bound element, and associated resources such
as scoped style sheets and precached images, sounds, or videos. XBL
can also be used to implement new DOM interfaces, and, in conjunction
with other specifications, enables arbitrary tag sets to be
implemented as widgets. For example, XBL could be used to implement
the form controls in XForms or HTML. A companion document "Behavioral
Extensions to CSS" describes a way to link to binding technologies,
such as XBL, from CSS style sheets. This allows bindings to be
selected using the CSS cascade, and thus enables bindings to
transparently benefit from the user style sheet mechansim, media
selection, and alternate style sheets.

http://www.w3.org/TR/2007/CR-xbl-20070316/
See also Behavioral Extensions to CSS: http://www.w3.org/TR/becss/

----------------------------------------------------------------------

Mandatory Open Standards in Denmark
John Goetze, Blog

The Danish Minister of Science, Technology and Innovation, Helge Sander,
recently made a press announcement about his plan for following up on
the Parliament Resolution 8 months ago. The implementation plan is
presented in a report which suggests that "open standards should be
implemented gradually by making it mandatory for the public sector to
use a number of open standards when this becomes technically feasible".
The report identifies an initial sets of open standards as candidates
for mandatory use from 1 January 2008 "if an economic impact assessment
shows that this will not involve additional costs to the public sector".
The implementation plan's elements are as follows [excerpted]: (1)
"From 1 January 2008, all new public IT solutions should make use of
the mandatory open standards relevant to the IT solution in question
unless there are significant reasons for not complying with these
standards."; (2) "If there are significant reasons for not complying
with the relevant mandatory open standards, this must be reported on
signing the contract, stating the reasons for applying the exceptional
provisions." [...] The proposed mandatory standards from 1-January-2008
falls within the following areas: standards for data interchange
between public authorities; standards for electronic file and document
handling; standards for exchanging documents between public authorities
(Open Document Format and Office OpenXML); standards for electronic
procurement in the public sector; standards for digital signatures;
standards for public websites / homepages; standards for IT security --
only within the public sector. Around a dozen standards: Compliant
XHTML or HTML, complaint CSS, WAI Level 2, OCES (digital signature),
XML 1.0, XML Schema 1.0, NDR 3.0, FESD (document management), OIOUBL,
UNSPSC, and DS484 (ISO 17799). With regard to standards for exchanging
documents between public authorities, the report proposes that "it
should be mandatory to use at least one of the document standards Open
Document Format or Office OpenXML", and that it is up to the individual
agency to decide what they want. The report explains that a study will
be conducted this year with the purpose of obtaining the necessary
experience with these standards before 1-January-2008...

http://gotze.eu/2007/02/mandatory-open-standards-in-denmark.html
See also the report summary: http://xml.coverpages.org/Denmark-B103-Summary.pdf

----------------------------------------------------------------------

Lightbulb is Dead: Long Live OpenSSO Extensions!
Pat Patterson, Blog

In October 2006, OpenSSO developers released the first SAML 2.0
implementation in PHP, codenamed 'Project Lightbulb' (because
Lightbulb fits into LAMP). Lightbulb was initiated as an Open Web
Single Sign-On (OpenSSO) subproject, designed to achieve federated
identity for LAMP (Linux, Apache, MySQL, PHP, Python, and Perl) and
MARS (MySQL, Apache, Ruby, and the Solaris Operating System).
Lightbulb offered a service provider (SP) written in PHP with Security
Assertion Markup Language (SAML) 2.0. In the few months since then,
other folks have proposed similar extensions to OpenSSO, and the
'Lightbulb' name has looked increasingly anachronistic, particularly
since the core OpenSSO project has always fully supported LAMP with
its Apache HTTP Server and Tomcat policy agents. "Today, we launch
OpenSSO Extensions, OpenSSO's code incubator, with three initial
modules: (1) The SAML 2.0/PHP relying party formerly known as Project
Lightbulb (2) An OpenID Identity Provider for OpenSSO, contributed
by long-time OpenSSO committer, Paul Bryan (3) A PHP Client SDK for
OpenSSO, contributed by Francesco Chicchiricco. To come: SAML 2.0
Ruby Relying Party. So: what is an OpenSSO Extension?  Well, it's any
piece of code that either extends OpenSSO to provide new functionality,
for example, the OpenID identity provider, or interfaces with OpenSSO,
extending other systems, such as the PHP Client SDK and SAML 2.0
relying party. OpenSSO Extensions is an incubator for modules that
build on the access control, single sign-on and federation technology
in OpenSSO, but are not part of the core project..."

http://blogs.sun.com/superpat/entry/lightbulb_is_dead_long_live
See also the OpenSSO Extensions web site: https://opensso.dev.java.net/public/extensions/

----------------------------------------------------------------------

A Phased Approach for Converting SQL-centric Applications to LINQ
Thiru Thangarathinam, DevX.com

Almost all applications need to integrate some sort of data, often from
multiple data sources such as SQL Server or Oracle database tables.
In .NET languages, you would traditionally perform these operations
using SQL or an SQL variant in conjunction with a data access
technology such as ADO.NET. But when applications need to perform
similar data operations against XML files, you would need to write code
using the XML classes provided by the .NET Framework. While the intent
-- retrieving and updating data from a store -- is the same in both
cases, the knowledge and the code implementations required differ
significantly for each data store. Until now, data access in the .NET
framework has lacked a unified and consistent approach to accessing
data from disparate data sources. To solve these data access
inconsistencies, Microsoft introduced LINQ, the Language INtegrated
Query Framework, which adds general-purpose query facilities for
querying all types of information, including (but not limited to)
relational and XML data. This article discusses a phased approach to
migrate an existing SQL-centered ASP.NET Web site to leverage LINQ.
[Note, from the LINQ Overview: "After two decades, the industry has
reached a stable point in the evolution of object-oriented (OO)
programming technologies. It has become apparent that the next big
challenge in programming technology is to reduce the complexity of
accessing and integrating information that is not natively defined
using OO technology. The two most common sources of non-OO information
are relational databases and XML. Rather than add relational or
XML-specific features to our programming languages and runtime, with
the LINQ project we have taken a more general approach and are
adding general purpose query facilities to the .NET Framework that
apply to all sources of information, not just relational or XML data.
This facility is called .NET Language Integrated Query (LINQ). The
extensibility of the query architecture is used in the LINQ project
itself to provide implementations that work over both XML and SQL
data. The query operators over XML (XLinq) use an efficient,
easy-to-use in-memory XML facility to provide XPath/XQuery
functionality in the host programming language. The query operators
over relational data (DLinq) build on the integration of SQL-based
schema definitions into the CLR type system. This integration provides
strong typing over relational data while retaining the expressive
power of the relational model and the performance of query evaluation
directly in the underlying store."]

http://www.devx.com/dotnet/Article/33959
See also the LINQ Overview: http://msdn2.microsoft.com/en-us/library/aa479865.aspx

----------------------------------------------------------------------

SAP Architecture: Enterprise SOA Basics
Kareemullah Shah Quadri, Blog

"So what is it all about these buzz words like SOA, ESA?  The following
article briefly touches upon the Service oriented Architecture and how
it relates to SAP's vision of transforming the Enterprise business
logic into a set of service oriented components. The intended audience
is basically the beginners who want to know about SOA and ESA,
developers who want to scale up their skills to 'possibly' the new, or
may I say, the next architectural and programming paradigm for SAP.
The article covers: Basic Terminology of Software Architectures; SOA
definition -- why , what , when and how; ESA and its relation to SOA;
Evolution of SAP architecture; What does this change mean for
developers?  SOA is a design for linking computational resources
(principally, applications and data) on demand to achieve the desired
results for service consumers, which can be end users or other services.
Services communicate with their clients by exchanging messages which
are platform independent. Thus the services are defined by the messages
they can accept and the responses they can give, which is why XML as
a standard platform independent way of exchanging messages becomes all
the more important. Enterprise Service oriented Architecture is the
adoption of SOA at an enterprise level. It breaks the traditional
Client server application oriented architecture. What Enterprise
oriented architecture has done is to break down each of the core
business functionality into services. This paves the way for building
reusable components (services) using the existing service repository
and hence promoting a common inter operatable platform for service
reuse across disparate systems not only within but also across the
systems spaning organisations and its partners... Although service
based architecture in Enterprise systems seem to satisfy a more
flexible model of computing, does it or can it come with more set of
problems viz a viz performance, user response time, confusion between
similar set of services. Can an agent based Architecture with a set
of mobile agents performing the services help overcome the drawbacks.
An Agent can be an independent entity performing a set of tasks for
example an agent for handling purchase orders which can replicate and
travel across network. Do you think the agent based architecture in
its true sense (mobile agents across the network) will be the next
Architectural paradigm for the Enterprise?

https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/5884
See also Standards and Enterprise SOA: https://www.sdn.sap.com/irj/sdn/developerareas/esa/standards

----------------------------------------------------------------------

Web Services Profile of XACML (WS-XACML)
Anne Anderson, OASIS Presentation

This PDF document summarizes a presentation made at the OASIS XACML
TC Face-to-Face meeting on 13-March-2007.  Outline: Web Services
Policy Background; XACML Web Services Policy Assertions; XACML
Assertion Format; XACML Assertion Matching; Defined XACML Assertions
[XACMLAuthzAssertion, XACMLPrivacyAssertion]; New XACML Functions and
Attribute Identifiers; Open Issues.  Abstract from "Web Services
Profile of XACML (WS-XACML) Version 1.0": "This document specifies
ways to use XACML in the context of Web Services for authorization,
access control, and privacy policies. It specifies four types of
information. (1) An authorization token or credential based on XACML
to be used in a Web Services context for conveying an authorization
decision from a trusted third party to a Web Service. (2) A policy
Assertion type based on XACML elements for use with WS-Policy or other
schemas and protocols; this Assertion may be used to convey both
requirements and capabilities related to authorization, access control,
and privacy for Web Service clients and for the services themselves.
This Profile specifies standard formats, matching semantics, and
usage guidelines for two Assertions derived from this type: one for
authorization policies and the other for privacy policies. (3) Some
ways in which Attributes for a client MAY be passed to a Web Service
as part of a SOAP message in such a way that they can be authenticated
as having been issued by a trusted authority. These Attributes may be
used by the Web Service in evaluating the internal XACML policies of
a service or enterprise that are relevant to a given Web Services
access. (4) How to express P3P policy preferences and match them
using the new Assertion based on XACML."

http://xml.coverpages.org/xacml.html#Anderson-WS-XACML-F2F200703
See also WD 08: http://www.oasis-open.org/committees/download.php/21490/xacml-3.0-profile-webservices-spec-v1.0-wd-8-en.pdf

----------------------------------------------------------------------

Entitlement Management: The Next Security Wave
Linda Musthaler, Network World

Burton Group analyst Gerry Gebel calls "entitlement management" an
important new development in the security arena -- one that you'll
want to bring into your organization soon. Traditionally, entitlements
have been built into each application your enterprise has. The new
strategy is to remove access management from the applications and run
it as a shared service in front of the applications. Entitlement
management can be used to strengthen the security of Web services, Web
applications, legacy applications, documents and files, and physical
security systems. This approach has several benefits. First and
foremost, it gives you the ability to implement a data-driven policy
that is consistent across all applications. This is becoming more
important in the face of regulatory pressures from Sarbanes-Oxley,
HIPAA, PCI, and the like. With an entitlement management service, you
can simplify your audit and compliance burden. There are several
vendors with products on the market today. Many have chosen a three
module architecture consisting of the Policy Administration Point
(PAP) to provide centralized administration management; the Policy
Decision Point (PDP) to evaluate resource-specific authorization
policies; and the Policy Enforcement Point (PEP) to enforce the
entitlement policies. Rajiv Gupta, founder and CEO of Securent,
says that entitlement management is a strategic layer in the
enterprise, and that it will take years for most companies to deploy
one across their entire company. Many have deployed it across key
applications and lines of business in only a few months time, though.
He doesn't expect many organizations are willing to rewrite custom
applications to remove the entitlement layer today. However, as
more companies adopt the notion of a service-oriented architecture
(SOA), entitlement management will certainly be a critical service
to centralize.

http://www.networkworld.com/newsletters/techexec/2007/0312techexec1.html
See also the earlier Securent announcement: http://xml.coverpages.org/Securent-EMS-XACML.html

----------------------------------------------------------------------

MSXML4 is Going to Be Kill Bit-ed
Staff, Microsoft XML Team's MSXML WebLog

"As a part of our MSXML4 End of Life plan , we are going to kill bit
MSXML4 in the October - December 2007 timeframe of this year. Kill Bit
applies to Internet Explorer only. After the kill bit , applications
will not be able to create MSXML4 objects in the browser. Applications
outside IE like C++ apps will continue to work with MSXML4. We are
announcing this in advance so that our customers get sufficient time
to try their applications with MSXML6 and give us feedback on their
experience. We are going to kill-bit MSXML4 to ensure a secure browsing
experience for our customers. We are planning to also remove MSXML4
from the Download Center page within the next twelve months. Support
for MSXML4 going forward will be restricted to high impact security
issues only. MSXML6 is the latest version available to MSXML customers
today. This is where all the functionality, performance and security
improvements are going in. In addition, MSXML6 provides improved W3C
compliance and increased compatibility with System.XML in .Net. The
recommendation for MSXML customers is to program using MSXML6 and
upgrade applications using older versions to MSXML6. We believe this
is the best plan for MSXML customers going forward: it avoids
confusion regarding multiple versions, ensures a safe browsing
experience when using MSXML, and provides a path to use future
functional improvements . We strongly encourage everyone to start
using MSXML6 SP1.MSXML6 SP1 is now available for all supported
downlevel platforms. The summary is: MSXML6 should be your first
choice. This is the MSXML version that will be carried forward. MSXML6
shipped with Vista and we are working on getting this in downlevel
OS Service Packs. MSXML3 has the advantage of having shipped with
every supported OS; we are committed to keeping MSXML3 robust and
stable but won't be adding any functional improvements. MSXML4 is
in maintenance mode with a very high bar for fixes approaching End
of Life. MSXML 5 is exclusively meant for Office. Do not take any
dependencies on it."  The download is available for Microsoft Core
XML Services (MSXML) 6.0 Service Pack 1: "MSXML 6.0 Service Pack 1
(MSXML6.1) has improved reliability, security, conformance with the
XML 1.0 and XML Schema 1.0 W3C Recommendations, and compatibility
with System.Xml 2.0." Supported Operating Systems: Windows 2000
Service Pack 4; Windows Server 2003; Windows Server 2003 Service
Pack 1; Windows XP Service Pack 2.

http://blogs.msdn.com/xmlteam/archive/2007/03/12/msxml4-is-going-to-be-kill-bit-ed.aspx
See also the download: http://www.microsoft.com/downloads/details.aspx?FamilyID=d21c292c-368b-4ce1-9dab-3e9827b70604

----------------------------------------------------------------------

Real-world IT Security Challenges: Doing Away with Passwords
Roger A. Grimes, InfoWorld

This article reports on a particular company that's doing away with
passwords all together because it considers passwords as one of the
weakest links in their security armor. It has moved to RSA tokens
for two-factor VPNs and fingerprint readers for local logons. The
company did a multiyear test into the best fingerprint readers. The
company is trying to remove any instance where an employee would
have to put in a password so that it can increase the password length
to a far greater than normal maximum. In this particular case, it
wanted the minimum password size to be 128 characters or greater.
Yes, it understands that Windows logon passwords only go to 127
characters, but it is willing to patch the appropriate DLLs. The
thought is to make passwords so uncrackable and unguessable that they
essentially become a crypto private key (although that would be a
misnomer). With passwords at 128 characters, a password cracker
obtaining one of the password hashes would be far more likely to
have a hash collision -- which is just as good as the real password
in a Windows environment -- than to crack the actual password... Under
this plan, employees would face a logon screen where they would enter
their PIN and RSA token information and get authenticated. Behind
the scenes, RSA and Citrix would accept the two-factor token
authentication information and pass an extremely long Windows
password to authenticate to the needed Windows resources. It was an
interesting proposal, so I called RSA and Citrix. Both companies
replied back immediately, that, yes, this was possible... Both RSA
and Citrix had quality products, were responsive, and had great
integration documentation. I can say this: If you are thinking of
getting away from passwords, RSA and Citrix have a great integration
solution for you.

http://www.infoworld.com/article/07/03/16/12OPsecadvise_1.html

----------------------------------------------------------------------

Red Hat Strikes Back With Next Generation Linux
Sean Michael Kerner, InternetNews.com

Red Hat released the latest version of its Red Hat Enterprise Linux 5
(RHEL) flagship product today with a flurry of new features, upgrades
and improvements. The RHEL 5 release comes as Red Hat faces a multi-
front battle in the operating systems space against rivals Microsoft,
Novell and Oracle. In this release, Red Hat is touting new
virtualization, security, storage and application options that it hopes
will keep it ahead of competitors making a run for Red Hat's market
share. Paul Cormier, executive vice president of engineering at Red Hat,
called it not just the next release of the operating system, but the
next generation for Red Hat. Virtualization is a key new aspect of
RHEL 5, which has been under development for the past eighteen months.
It includes a fully integrated server virtualization capability that
extends throughout the operating system and is fully manageable. New
capabilities added to Red Hat's Network management solutions extend it
to enable the detection, management and creation of new virtualized
RHEL guests. The SELinux implementation assets got a big security
overhaul in this release, too. SELinux implements mandatory access
controls on the kernel, which allows programs to run with only
necessary permissions. The general idea is that by improving access
control overall, security is improved. By contrast, the SELinux
implementation in the prior version of REHL was considered by many to
be difficult to implement because it lacked an exhaustive list of
targeted policies for application deployments. The Red Hat Database
Availability Solution is all about making databases such as Oracle,
Sybase, MySQL EnterpriseDB, IBM's DB2 and others more reliable in a
clustered database system.

http://www.internetnews.com/dev-news/article.php/3665641

----------------------------------------------------------------------

XML Daily Newslink and Cover Pages are sponsored by:

BEA Systems, Inc.         http://www.bea.com
IBM Corporation           http://www.ibm.com
Innodata Isogen           http://www.innodata-isogen.com
SAP AG                    http://www.sap.com
Sun Microsystems, Inc.    http://sun.com

----------------------------------------------------------------------

Newsletter subscribe: xml-dailynews-subscribe@lists.xml.org
Newsletter unsubscribe: xml-dailynews-unsubscribe@lists.xml.org
Newsletter help: xml-dailynews-help@lists.xml.org
Cover Pages: http://xml.coverpages.org/

----------------------------------------------------------------------