XML and Web Services In The News - 9 November 2006
Provided by OASIS |
Edited by Robin Cover
This issue of XML Daily Newslink is sponsored by SAP AG
HEADLINES:
Email Authentication: What? Why? How?
Eric Allman (Sendmail), ACM Queue
Internet email was conceived in a different world than we live in
today. It was a small, tightly knit community, and we didn't really
have to worry too much about miscreants. Generally, if someone did
something wrong, the problem could be dealt with through social means;
'shunning' is very effective in small communities. E-mail has had a
fundamental flaw from the beginning: a lack of authentication. This
means that anyone on the Internet can, in theory, send e-mail to
anyone else while claiming to be a third person. The reason for this
is purely historic: E-mail was one of the very first network protocols
&emdash; in fact, the first three application layer protocols published for
the Internet were telnet, FTP, and SMTP &emdash; even before DNS, and before
there was any infrastructure to support distributed authentication in
the nascent Internet (telnet and FTP used local authentication).
Coupled with greed, this is a dangerous property. For example, I have
no way to prove that a message that claims to be from my bank actually
has anything to do with my bank. This situation is increasingly
untenable, which is resulting in calls for authentication technology.
Authentication proposals come in two flavors: path-based and signature-
based. There are many variations on this theme. Path-based algorithms
look at where the mail was sent from. The best-known examples of
path-based authentication are SPF (Sender Policy Framework) and Sender
ID. Signature-based algorithms, on the other hand, determine whether
the message is legitimate by using a cryptographic digital signature
on the message. Public-key encryption allows the signer (usually the
sender of the message) to publish its public key so that the verifier
(usually the recipient) can verify that the message is properly signed.
The best-known examples of signature-based algorithms are DomainKeys
from Yahoo! and DKIM (DomainKeys Identified Mail), the result of a
group effort that started with DomainKeys and IIM (Identified Internet
Mail) from Cisco. These are similar algorithms, but they do have
distinct differences. For the best protection you should probably use
at least one of each type of system. One of the classic misconceptions
is that authenticated messages can be trusted. By the very nature of
authentication, spammers and phishers can authenticate themselves as
well as legitimate senders can. Once you know who someone really is,
you also need to know whether this is someone from whom you want to
accept mail. The major schemes are accreditation and reputation.
Mixing Java with XSLT: Simple Xalan Extension Functions
Elliotte Rusty Harold, IBM developerWorks
Extensible Stylesheet Language Transformations (XSLT) is a Turing
complete programming language. That means that given enough memory,
it can calculate anything a program written in any other programming
language can calculate. However, this theoretical ability is often
impractical. There are several cases where you may need to write code
in a more traditional language rather than XSLT. For example:
(1) External I/O: For instance, files, databases, or network
connections. XSLT has very limited ability to read or write these
things. (2) External devices: For instance, Universal Serial Bus
(USB) ports or the system clock. (3) Advanced math: XSLT can perform
basic arithmetic easily enough, but it doesn't support trigonometry,
exponential functions, logarithms, or other more advanced mathematical
operators and functions. Although you can implement all of these using
the basic operations XSLT does support, such a program would be both
unwieldy and slow. Using a language that is designed for such
operations dramatically improves both performance and legibility.
Fortunately, you can code these tasks in the Java language and then
invoke them from your XSLT stylesheets using Xalan. This article shows
you how to link Java classes to XSLT to perform these sorts of
operations. The means by which XSLT invokes Java classes varies from
one XSLT processor to the next. This article focuses on the Apache
Foundation's popular Xalan XSLT processor.
See also: the Apache XML Project
Complete Program Listings for the XML 2006 Conference
David Megginson, Conference Announcement
XML 2006 Conference Chair David Megginson has announced the publication
of the complete program for the XML 2006 event, to be held on December
5-7, 2006, in Boston, MA, USA. The planning committee has also selected
nine presentations from the more than 60 excellent submissions for
the late-breaking slots at XML 2006. The IDEAlliance event is called
"The world's oldest and biggest XML conference." Tracks include:
(1) Enterprise XML Computing; (2) XML on the Web; (3) Documents and
Publishing; (4) Hands-On XML. "The Enterprise track looks at XML in
the world of small, medium, and large-size business, governments, and
other organizations. In the enterprise, IT almost never starts with a
clean slate: there are old systems to integrate with new ones, partners
who follow different standards, and sometimes severe security and
regulatory requirements to meet — and by the way, organizations also
hope that new IT projects will cut costs and increase revenue.
Presentations at XML 2006 suggest how XML can help. XML is also the
glue that holds the new Web together. The "XML on the Web" track looks
at the role of XML outside the firewall, where people use it for
everything from weblog syndication to Web 2.0 mashups to AJAX to
Friend of a Friend. David says: "Even if you cannot come, the [program]
lists can make interesting reading. Databases, XQuery, and their
intersection have become big topics. We didn't have so many Web
Services submissions this year, though the single paper that's
attracted the most hits on our site is the W3C's "Web Services Policy
Expression Alternatives." [Web Services Policy (WS-Policy) is a
general purpose framework for expressing requirements, capabilities,
and general characteristics of a Web service, such as security or
reliability requirements. We will demonstrate how a variety of current
schema and query languages can express these policies and how these
languages can clarify and extend policy description.]
See also: organizations represented
W3C Releases Initial Working Draft for Widgets 1.0
Anne van Kesteren and Marcos Caceres (eds), W3C Technical Report
W3C's Web Application Formats Working Group has released the First
Public Working Draft specification for Widgets 1.0. This document was
produced by the Web Application Formats Working Group, part of the
Rich Web Clients Activity in the W3C Interaction Domain. Also known as
gadgets or modules, "widgets" are small programs like clocks, stock
tickers, news casters, games and weather forecasters that display and
update remote data and run on the Web browser environment. Client-side
Web applications are typically small self-contained applications for
displaying and updating remote data, packaged in a way to allow a
single download and installation on a client machine. Most host
runtime environments will typically support HTTP, URIs, and Unicode,
as well as ECMAScript (JavaScript), CSS, the DOM, and some mechanism
for rendering multimedia resources such as images and sounds. They
will also include an API for that provides functionality that is
currently specific to client-side Web Applications, such as persistent
storage and read/write access to a sandboxed portion of an end-user's
storage device. Also, because of the rise in popularity of Ajax-style
development approaches, many host runtime environments now support the
XMLHttpRequest object or some similar mechanism for making asynchronous
data requests over HTTP. To create the user interfaces of a client-
side Web application, authors will typically rely on either HTML or
on some proprietary XML vocabulary supported by the host runtime
environment. The "Widgets 1.0" specification defines the packaging
format, manifest file and scripting interfaces for downloading and
installation on client machines. The corresponding requirements
document "Client-Side Web Applications (Widgets) Requirements" has been
updated and retitled.
See also: W3C Rich Web Clients
Sun, Ubuntu Cross-Certify for JEE5 Server Deployment
Chris Preimesberger, eWEEK
In May 2006 at JavaOne, Sun Microsystems' President Jonathan Schwartz
and Canonical Ltd. Founder and President Mark Shuttleworth — creator
of the Ubuntu distribution of GNU/Linux — promised to do a lot of
business in the coming months. Sun and Canonical, a two-year-old
U.K.-based commercial sponsor of the fast-growing Ubuntu, have now
revealed that the open-source Java Enterprise Edition 5 application
server [GlassFish Community reference implementation] is now certified
and available to run on Ubuntu Server Edition. The Java Community
Process, which governs Java development, on November 7 [2006] sanctioned
the final JEE5 specification. GlassFish is the first Java application
server to be bundled with Ubuntu, according to Shuttleworth. Tom
Marble, senior Java Performance Engineer at Sun: "For example, if
you're building a Web portal with interactive applications on NetBeans,
to add the Ubuntu server all you have to do is find it on the drop-down
list and add it. The application will find all the components needed
to make it work, automatically. A few clicks, and it just all works."
The expansion includes support for the Sun Fire X4100 and X4200 servers,
as well as the Sun Ultra 20 and 40 Workstations. This means that
enterprises will now be able to run Ubuntu on Sun's x64 systems with
the support of five-year software support provided by Canonical. The
GlassFish community is currently developing a JEE5 certified
application server, which contains core modules upon which many other
enterprise Java implementations will be based.
See also: the announcement
Semantics of Business Vocabulary and Business Rules (SBVR)
Staff, OMG
The Object Management Group (OMG) has released an updated [now approved]
version of the "Semantics of Business Vocabulary and Business Rules
(SBVR)." The SBVR (Semantics of Business Vocabulary and Business Rules)
initiative is intended to capture business facts and business rules
that may be expressed either informally or formally. Business rule
expressions are classified as formal only if they are expressed purely
in terms of fact types in the pre-declared schema for the business domain,
as well as certain logical/ mathematical operators, quantifiers, etc.
The specification "defines the vocabulary and rules for documenting the
semantics of business vocabulary, business facts, and business rules; as
well as an XMI schema for the interchange of business vocabularies and
business rules among organizations and between software tools. This
specification is interpretable in predicate logic with a small extension
in modal logic. This specification supports linguistic analysis of text
for business vocabulary and rules, with the linguistic analysis itself
being outside the scope of this specification. This specification is
applicable to the domain of business vocabulary and business rules of
all kinds of business activities of all kinds of organizations. It is
conceptualized optimally for business people rather than automated rules
processing, and is designed to be used for business purposes, independent
of information systems designs. Conformant software correctly consumes
and produces XML documents conveying information conforming to the SBVR
Business Vocabulary and Business Rules XML Schema. The conformant
software also detects and reports when XML input violates necessary
conditions stated by this specification. Conformant software correctly
generates an XML document conforming to OMG's MOF 2 XML Schema from any
XML document that conforms to the SBVR Logical Formulation of Semantics
XML Schema. Production follows the rules of the Vocabulary-to-MOF/XMI
Mapping Rule Set.
See also: http://www.omg.org/technology/documents/bms_spec_catalog.htm#SBVR
Traceroute Measurements Information Model and XML Data Model
Saverio Niccolini, Sandra Tartarelli, et al. (eds), IETF Internet Draft
Members of IETF's IP Performance Metrics (IPPM) Working Group have
published an updated Internet Draft for "Traceroute Measurements
Information Model and XML Data Model." This memo describes a standard
way to store traceroute measurements. To better address the traceroute
measurements storing issue, the authors first of all give a definition
of the traceroute tool, describe the tool itself as well as its
parameters and the default values on the most common operating systems
and the output results that can be stored. Afterwards, the common
information model with the base elements of the traceroute measurement
storing is defined dividing the information elements in two semantically
separated groups (configuration elements and results ones). Moreover
an additional element is defined to relate configuration elements and
results ones by means of a common unique identifier. On the basis of
the information model a data model is then proposed in order to actually
store the traceroute measurements. In order to store traceroute results
and allow comparison of them, this Internet Draft defines a standard
way to store traceroute measurements using a XML schema. Traceroute
is a network diagnostic tool used to determine the hop by hop path
from a source to a destination and the Round Trip Time (RTT) from
the source to each hop. Traceroute can therefore be used to discover
where and how a host is connected to the Internet and can be usefully
employed to troubleshoot network connections. The IPPM WG was chartered
to develop a set of standard metrics that can be applied to the quality,
performance, and reliability of Internet data delivery services. These
metrics are designed such that they can be performed by network
operators, end users, or independent testing groups.
Is DRM Good or Bad for Consumers?
Grant Gross, InfoWorld
DRM (digital rights management) technology may actually be good for
consumers because it could give them more choices for downloading or
buying copyrighted content, some speakers at a U.S. Federal Trade
Commission (FTC) event said Wednesday. Others on a panel discussion
about new technology products aren't convinced DRM was such a good deal
for consumers. The panel was part of the FTC's three-day conference,
"Protecting Consumers in the Next Tech-ade." When told of survey
results that suggest consumers would be willing to pay twice as much
for a music download they could play on more than one device or share
with a small number of friends, Urs Gasser, director of the Research
Center for Information Law at the University of St. Gallen in Switzerland,
said that before DRM technologies, consumers didn't have to pay extra
for those things. Until DRM matured, consumers had control over how
they used digital content, noted Deirdre Mulligan, director of the
Samuelson Law, Technology and Public Policy Clinic at the University
of California Berkeley Law School. DRM is creating a "permission culture"
where consumers have to ask the copyright owner's permission to play a
piece of music on a both home computer and a car stereo: "[previously]
there was a lot of breathing space in copyright law." In addition,
many consumers don't understand DRM restrictions, and they're surprised
when a CD that works on a home stereo can't be played somewhere else,
she said. Vendors offer "little disclosure about how consumers can use"
DRM-protected content.
See also: XML and Digital Rights Management (DRM)
XML.org is an OASIS Information Channel
sponsored by BEA Systems, Inc., IBM Corporation, Innodata Isogen, SAP AG and Sun
Microsystems, Inc.
Use http://www.oasis-open.org/mlmanage
to unsubscribe or change an email address. See http://xml.org/xml/news_market.shtml
for the list archives. |