XML and Web Services In The News - 9 November 2006

Provided by OASIS | Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by SAP AG



HEADLINES:

 Email Authentication: What? Why? How?
 Mixing Java with XSLT: Simple Xalan Extension Functions
 Complete Program Listings for the XML 2006 Conference
 W3C Releases Initial Working Draft for Widgets 1.0
 Sun, Ubuntu Cross-Certify for JEE5 Server Deployment
 Semantics of Business Vocabulary and Business Rules (SBVR)
 Traceroute Measurements Information Model and XML Data Model
 Is DRM Good or Bad for Consumers?


Email Authentication: What? Why? How?
Eric Allman (Sendmail), ACM Queue
Internet email was conceived in a different world than we live in today. It was a small, tightly knit community, and we didn't really have to worry too much about miscreants. Generally, if someone did something wrong, the problem could be dealt with through social means; 'shunning' is very effective in small communities. E-mail has had a fundamental flaw from the beginning: a lack of authentication. This means that anyone on the Internet can, in theory, send e-mail to anyone else while claiming to be a third person. The reason for this is purely historic: E-mail was one of the very first network protocols &emdash; in fact, the first three application layer protocols published for the Internet were telnet, FTP, and SMTP &emdash; even before DNS, and before there was any infrastructure to support distributed authentication in the nascent Internet (telnet and FTP used local authentication). Coupled with greed, this is a dangerous property. For example, I have no way to prove that a message that claims to be from my bank actually has anything to do with my bank. This situation is increasingly untenable, which is resulting in calls for authentication technology. Authentication proposals come in two flavors: path-based and signature- based. There are many variations on this theme. Path-based algorithms look at where the mail was sent from. The best-known examples of path-based authentication are SPF (Sender Policy Framework) and Sender ID. Signature-based algorithms, on the other hand, determine whether the message is legitimate by using a cryptographic digital signature on the message. Public-key encryption allows the signer (usually the sender of the message) to publish its public key so that the verifier (usually the recipient) can verify that the message is properly signed. The best-known examples of signature-based algorithms are DomainKeys from Yahoo! and DKIM (DomainKeys Identified Mail), the result of a group effort that started with DomainKeys and IIM (Identified Internet Mail) from Cisco. These are similar algorithms, but they do have distinct differences. For the best protection you should probably use at least one of each type of system. One of the classic misconceptions is that authenticated messages can be trusted. By the very nature of authentication, spammers and phishers can authenticate themselves as well as legitimate senders can. Once you know who someone really is, you also need to know whether this is someone from whom you want to accept mail. The major schemes are accreditation and reputation.

Mixing Java with XSLT: Simple Xalan Extension Functions
Elliotte Rusty Harold, IBM developerWorks
Extensible Stylesheet Language Transformations (XSLT) is a Turing complete programming language. That means that given enough memory, it can calculate anything a program written in any other programming language can calculate. However, this theoretical ability is often impractical. There are several cases where you may need to write code in a more traditional language rather than XSLT. For example: (1) External I/O: For instance, files, databases, or network connections. XSLT has very limited ability to read or write these things. (2) External devices: For instance, Universal Serial Bus (USB) ports or the system clock. (3) Advanced math: XSLT can perform basic arithmetic easily enough, but it doesn't support trigonometry, exponential functions, logarithms, or other more advanced mathematical operators and functions. Although you can implement all of these using the basic operations XSLT does support, such a program would be both unwieldy and slow. Using a language that is designed for such operations dramatically improves both performance and legibility. Fortunately, you can code these tasks in the Java language and then invoke them from your XSLT stylesheets using Xalan. This article shows you how to link Java classes to XSLT to perform these sorts of operations. The means by which XSLT invokes Java classes varies from one XSLT processor to the next. This article focuses on the Apache Foundation's popular Xalan XSLT processor.
See also: the Apache XML Project

Complete Program Listings for the XML 2006 Conference
David Megginson, Conference Announcement
XML 2006 Conference Chair David Megginson has announced the publication of the complete program for the XML 2006 event, to be held on December 5-7, 2006, in Boston, MA, USA. The planning committee has also selected nine presentations from the more than 60 excellent submissions for the late-breaking slots at XML 2006. The IDEAlliance event is called "The world's oldest and biggest XML conference." Tracks include: (1) Enterprise XML Computing; (2) XML on the Web; (3) Documents and Publishing; (4) Hands-On XML. "The Enterprise track looks at XML in the world of small, medium, and large-size business, governments, and other organizations. In the enterprise, IT almost never starts with a clean slate: there are old systems to integrate with new ones, partners who follow different standards, and sometimes severe security and regulatory requirements to meet — and by the way, organizations also hope that new IT projects will cut costs and increase revenue. Presentations at XML 2006 suggest how XML can help. XML is also the glue that holds the new Web together. The "XML on the Web" track looks at the role of XML outside the firewall, where people use it for everything from weblog syndication to Web 2.0 mashups to AJAX to Friend of a Friend. David says: "Even if you cannot come, the [program] lists can make interesting reading. Databases, XQuery, and their intersection have become big topics. We didn't have so many Web Services submissions this year, though the single paper that's attracted the most hits on our site is the W3C's "Web Services Policy Expression Alternatives." [Web Services Policy (WS-Policy) is a general purpose framework for expressing requirements, capabilities, and general characteristics of a Web service, such as security or reliability requirements. We will demonstrate how a variety of current schema and query languages can express these policies and how these languages can clarify and extend policy description.]
See also: organizations represented

W3C Releases Initial Working Draft for Widgets 1.0
Anne van Kesteren and Marcos Caceres (eds), W3C Technical Report
W3C's Web Application Formats Working Group has released the First Public Working Draft specification for Widgets 1.0. This document was produced by the Web Application Formats Working Group, part of the Rich Web Clients Activity in the W3C Interaction Domain. Also known as gadgets or modules, "widgets" are small programs like clocks, stock tickers, news casters, games and weather forecasters that display and update remote data and run on the Web browser environment. Client-side Web applications are typically small self-contained applications for displaying and updating remote data, packaged in a way to allow a single download and installation on a client machine. Most host runtime environments will typically support HTTP, URIs, and Unicode, as well as ECMAScript (JavaScript), CSS, the DOM, and some mechanism for rendering multimedia resources such as images and sounds. They will also include an API for that provides functionality that is currently specific to client-side Web Applications, such as persistent storage and read/write access to a sandboxed portion of an end-user's storage device. Also, because of the rise in popularity of Ajax-style development approaches, many host runtime environments now support the XMLHttpRequest object or some similar mechanism for making asynchronous data requests over HTTP. To create the user interfaces of a client- side Web application, authors will typically rely on either HTML or on some proprietary XML vocabulary supported by the host runtime environment. The "Widgets 1.0" specification defines the packaging format, manifest file and scripting interfaces for downloading and installation on client machines. The corresponding requirements document "Client-Side Web Applications (Widgets) Requirements" has been updated and retitled.
See also: W3C Rich Web Clients

Sun, Ubuntu Cross-Certify for JEE5 Server Deployment
Chris Preimesberger, eWEEK
In May 2006 at JavaOne, Sun Microsystems' President Jonathan Schwartz and Canonical Ltd. Founder and President Mark Shuttleworth — creator of the Ubuntu distribution of GNU/Linux — promised to do a lot of business in the coming months. Sun and Canonical, a two-year-old U.K.-based commercial sponsor of the fast-growing Ubuntu, have now revealed that the open-source Java Enterprise Edition 5 application server [GlassFish Community reference implementation] is now certified and available to run on Ubuntu Server Edition. The Java Community Process, which governs Java development, on November 7 [2006] sanctioned the final JEE5 specification. GlassFish is the first Java application server to be bundled with Ubuntu, according to Shuttleworth. Tom Marble, senior Java Performance Engineer at Sun: "For example, if you're building a Web portal with interactive applications on NetBeans, to add the Ubuntu server all you have to do is find it on the drop-down list and add it. The application will find all the components needed to make it work, automatically. A few clicks, and it just all works." The expansion includes support for the Sun Fire X4100 and X4200 servers, as well as the Sun Ultra 20 and 40 Workstations. This means that enterprises will now be able to run Ubuntu on Sun's x64 systems with the support of five-year software support provided by Canonical. The GlassFish community is currently developing a JEE5 certified application server, which contains core modules upon which many other enterprise Java implementations will be based.
See also: the announcement

Semantics of Business Vocabulary and Business Rules (SBVR)
Staff, OMG
The Object Management Group (OMG) has released an updated [now approved] version of the "Semantics of Business Vocabulary and Business Rules (SBVR)." The SBVR (Semantics of Business Vocabulary and Business Rules) initiative is intended to capture business facts and business rules that may be expressed either informally or formally. Business rule expressions are classified as formal only if they are expressed purely in terms of fact types in the pre-declared schema for the business domain, as well as certain logical/ mathematical operators, quantifiers, etc. The specification "defines the vocabulary and rules for documenting the semantics of business vocabulary, business facts, and business rules; as well as an XMI schema for the interchange of business vocabularies and business rules among organizations and between software tools. This specification is interpretable in predicate logic with a small extension in modal logic. This specification supports linguistic analysis of text for business vocabulary and rules, with the linguistic analysis itself being outside the scope of this specification. This specification is applicable to the domain of business vocabulary and business rules of all kinds of business activities of all kinds of organizations. It is conceptualized optimally for business people rather than automated rules processing, and is designed to be used for business purposes, independent of information systems designs. Conformant software correctly consumes and produces XML documents conveying information conforming to the SBVR Business Vocabulary and Business Rules XML Schema. The conformant software also detects and reports when XML input violates necessary conditions stated by this specification. Conformant software correctly generates an XML document conforming to OMG's MOF 2 XML Schema from any XML document that conforms to the SBVR Logical Formulation of Semantics XML Schema. Production follows the rules of the Vocabulary-to-MOF/XMI Mapping Rule Set.
See also: http://www.omg.org/technology/documents/bms_spec_catalog.htm#SBVR

Traceroute Measurements Information Model and XML Data Model
Saverio Niccolini, Sandra Tartarelli, et al. (eds), IETF Internet Draft
Members of IETF's IP Performance Metrics (IPPM) Working Group have published an updated Internet Draft for "Traceroute Measurements Information Model and XML Data Model." This memo describes a standard way to store traceroute measurements. To better address the traceroute measurements storing issue, the authors first of all give a definition of the traceroute tool, describe the tool itself as well as its parameters and the default values on the most common operating systems and the output results that can be stored. Afterwards, the common information model with the base elements of the traceroute measurement storing is defined dividing the information elements in two semantically separated groups (configuration elements and results ones). Moreover an additional element is defined to relate configuration elements and results ones by means of a common unique identifier. On the basis of the information model a data model is then proposed in order to actually store the traceroute measurements. In order to store traceroute results and allow comparison of them, this Internet Draft defines a standard way to store traceroute measurements using a XML schema. Traceroute is a network diagnostic tool used to determine the hop by hop path from a source to a destination and the Round Trip Time (RTT) from the source to each hop. Traceroute can therefore be used to discover where and how a host is connected to the Internet and can be usefully employed to troubleshoot network connections. The IPPM WG was chartered to develop a set of standard metrics that can be applied to the quality, performance, and reliability of Internet data delivery services. These metrics are designed such that they can be performed by network operators, end users, or independent testing groups.

Is DRM Good or Bad for Consumers?
Grant Gross, InfoWorld
DRM (digital rights management) technology may actually be good for consumers because it could give them more choices for downloading or buying copyrighted content, some speakers at a U.S. Federal Trade Commission (FTC) event said Wednesday. Others on a panel discussion about new technology products aren't convinced DRM was such a good deal for consumers. The panel was part of the FTC's three-day conference, "Protecting Consumers in the Next Tech-ade." When told of survey results that suggest consumers would be willing to pay twice as much for a music download they could play on more than one device or share with a small number of friends, Urs Gasser, director of the Research Center for Information Law at the University of St. Gallen in Switzerland, said that before DRM technologies, consumers didn't have to pay extra for those things. Until DRM matured, consumers had control over how they used digital content, noted Deirdre Mulligan, director of the Samuelson Law, Technology and Public Policy Clinic at the University of California Berkeley Law School. DRM is creating a "permission culture" where consumers have to ask the copyright owner's permission to play a piece of music on a both home computer and a car stereo: "[previously] there was a lot of breathing space in copyright law." In addition, many consumers don't understand DRM restrictions, and they're surprised when a CD that works on a home stereo can't be played somewhere else, she said. Vendors offer "little disclosure about how consumers can use" DRM-protected content.
See also: XML and Digital Rights Management (DRM)


XML.org is an OASIS Information Channel sponsored by BEA Systems, Inc., IBM Corporation, Innodata Isogen, SAP AG and Sun Microsystems, Inc.

Use http://www.oasis-open.org/mlmanage to unsubscribe or change an email address. See http://xml.org/xml/news_market.shtml for the list archives.


Bottom Gear Image