The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors
NEWS
Cover Stories
Articles & Papers
Press Releases
CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG
TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps
EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Last modified: August 30, 2002
XML Articles and Papers August 2002

XML General Articles and Papers: Surveys, Overviews, Presentations, Introductions, Announcements

Other collections with references to general and technical publications on XML:

August 2002

  • [August 30, 2002] "Guidelines for the Use of XML within IETF Protocols." By Scott Hollenbeck (VeriSign, Inc.), Marshall T. Rose (Dover Beach Consulting, Inc.), and Larry Masinter (Adobe Systems Incorporated). IETF Network Working Group Internet-Draft. Reference: 'draft-hollenbeck-ietf-xml-guidelines-06.txt'. 34 pages. August 22, 2002, expires February 20, 2003. This draft represents version 6 of the document; Appendix A lists 'Changes from Previous Version'. It is the goal of the authors that this draft (when completed and then approved by the IESG) be published as a Best Current Practice (BCP). "The Extensible Markup Language (XML) is a framework for structuring data. While it evolved from SGML -- a markup language primarily focused on structuring documents -- XML has evolved to be a widely- used mechanism for representing structured data. There are a wide variety of Internet protocols being developed; many have need for a representation for structured data relevant to their application. There has been much interest in the use of XML as a representation method. This document describes basic XML concepts, analyzes various alternatives in the use of XML, and provides guidelines for the use of XML within IETF standards-track protocols... This document is intended to give guidelines for the use of XML content within a larger protocol. The goal is not to suggest that XML is the 'best' or 'preferred' way to represent data; rather, the goal is to lay out the context for the use of XML within a protocol once other factors point to XML as a possible data representation solution. The Common Name Resolution Protocol (CNRP) is an example of a protocol that would be addressed by these guidelines if it were being newly defined. This document does not address the use of protocols like SMTP or HTTP to send XML documents as ordinary email or web content. There are a number of protocol frameworks already in use or under development which focus entirely on "XML protocol" -- the exclusive use of XML as the data representation in the protocol. For example, the World Wide Web Consortium (W3C) is developing an XML Protocol framework based on SOAP (SOAP Version 1.2 Part 1: Messaging Framework, SOAP Version 1.2 Part 2: Adjuncts). The applicability of such protocols is not part of the scope of this document. In addition, there are higher-level representation frameworks, based on XML, that have been designed as carriers of certain classes of information; for example, the Resource Description Framework (Resource Description Framework (RDF) Model and Syntax Specification) is an XML-based representation for logical assertions. This document does not provide guidelines for the use of such frameworks... A discussion forum 'ietf-xml-use@imc.org' is used for comments on this draft; see the archives. [cache]

  • [August 30, 2002] "Common Name Resolution Protocol (CNRP)." By Nico Popp (RealNames Corporation), Michael Mealling (VeriSign, Inc.), and Marshall Moseley (Netword, Inc). IETF Network Working Group, Internet-Draft. Reference: 'draft-ietf-cnrp-12.txt'. February 21, 2002. See also the XML DTD from section 5. "People often refer to things in the real world by a common name or phrase, e.g., a trade name, company name, or a book title. These names are sometimes easier for people to remember and type than URLs. Furthermore, because of the limited syntax of URLs, companies and individuals are finding that the ones that might be most reasonable for their resources are being used elsewhere and so are unavailable. For the purposes of this document, a 'common name' is a word or a phrase, without imposed syntactic structure, that may be associated with a resource. This effort is about the creation of a protocol for client applications to communicate with common name resolution services, as exemplified in both the browser enhancement and search site paradigms. Although the protocol's primary function is resolution, it is also intended to address issues of internationalization and localization. Name resolution services are not generic search services and thus do not need to provide complex Boolean query, relevance ranking or similar capabilities. The protocol is a simple, minimal interoperable core. Mechanisms for extension are provided, so that additional capabilities can be added... The protocol consists of a simple request/response mechanism. A client sends one of a few types of requests to a server which responds with the results of that request. All requests and responses are encoded with XML using the DTD found in Section 5. There are two types of requests. One is a general query for a common-name. The other is a request for an object that describes the service and its capabilities. There is only one type of response which is a set of results. Results can contain actual result items, referrals and/or status messages. CNRP is completely encapsulated within its XML definition, and is therefore transport-independent in its specification. However, clients need to have a clearly defined means of bootstrapping a connection with a server... Queries are sent by the client to the server. There are two types of queries: (1) A 'special' initial query that establishes the schema for a particular CNRP database and communicates that to the client. The CNRP client will send this query, and in turn receive an XML document defining the query properties that the database supports. (In CNRP, XML is used to define and express all objects.) This query is called the 'servicequery' in the DTD. In the case where a client does not know anything about the Service, the client may assume that it can at least issue the request via HTTP. (2) A 'standard' query, which is the submission of the CNRP search string to the database. The query will conform to the schema that may have been previously retrieved from the service..." See also the IETF Common Name Resolution Protocol WG Charter, The 'go'URI Scheme for the Common Name Resolution Protocol, and the mail list archives. [cache]

  • [August 30, 2002] "UDDI Takes Step Forward but Isn't Ready for Deployment." By Ray Wagner and John Pescatore (Gartner Research). Gartner FirstTake. Reference: FT-18-0859. 30 August 2002. ['Most major IT vendors support OASIS's new committee to develop the UDDI protocol. However, UDDI will achieve widespread use only at a late stage in the deployment of Web services.'] "On 28 August 2002, the Organization for Structured Information Standards (OASIS) announced the UDDI Specification Technical Committee to oversee the development of Universal Description, Discovery, and Integration (UDDI), a Web service protocol. More than 20 major IT companies have said they will participate, including most major software infrastructure providers... The unprecedented cooperation by industry participants will do much to secure widespread acceptance of UDDI, which provides a common format for enterprises to identify and link to new Web services... However, this specification may not prove as important as other Web service protocols with which it is normally associated, such as Simple Object Access Protocol (SOAP) and the Security Assertion Markup Language (SAML), because UDDI will achieve widespread use only at a late stage in the deployment of Web services. In general, enterprises will not need UDDI initially, either behind the firewall or when they deal with trusted business partners. Supporters will have to resolve many security issues related to UDDI before enterprises can safely expose service information via UDDI. Standard mechanisms need to be defined for such functions as supporting granular access, denial-of-service protection and nonrepudiation. Gartner recommends that enterprises evaluate the output of the UDDI committee for in-depth treatment of UDDI security issues before planning externally exposed use of UDDI. Gartner also believes that secure use of Web services will greatly accelerate if the vendors participating in the UDDI committee also participate aggressively in the SAML, Web Services Security (WS-Security), Liberty Alliance and other Web service initiatives related to security..." Also in PDF format. See: "Universal Description, Discovery, and Integration (UDDI)." [cache]

  • [August 30, 2002] "Q&A: VeriSign's Phillip Hallam-Baker on Web Services Security." By Carol Sliwa. In Computerworld (August 30, 2002). "IT professionals should wait for the Web Services Security specification to be finalized and implemented before they start building sophisticated Web services that extend beyond their company's firewalls, according to the specification's co-author. Phillip Hallam-Baker, principal scientist at Mountain View, Calif.-based VeriSign Inc., said it could take between six months and two years to nail down the WS-Security specification that he helped to write. Hallam-Baker spoke with Computerworld's Carol Sliwa about the state of Web services security during this week's XML Web Services One Conference here. The WS-Security specification was announced in April by IBM, Microsoft Corp. and VeriSign and was turned over to the Organization for the Advancement of Structured Information Standards (OASIS). A technical committee working to advance WS-Security will hold its first face-to-face meeting next week. Hallam-Baker was also senior author of the XML Key Management Specification (XKMS), and he served as editor of the Security Assertion Markup Language core schema and protocol specification. Here's what he had to say... [Excerpts:] "... What Web services are about is machine-to-machine communication. The base technology is XML and XML schema. If we want to narrow it to what types of Web service specifications are you going to be most interested in supporting -- obviously SOAP [Simple Object Access Protocol], WS-Security, XKMS... There are people like myself who are full-time occupied on the development standards, and we push things real hard. If something isn't meeting a deadline, if people are having an argument, I will make things happen. And I not only know everybody in the room, I know all their managers. If two people need to agree, either we will come to an agreement or we'll have a flame-out. We could throw part of the spec out. We could split the standards group. If I'm convinced that we're not going to get agreement, I'm going to say, "OK. We're splitting." And people know that that would be bad press... Q: When will WS-Security get nailed down? A: Within a two-year time span, certainly. Within a six-month time span, certainly not. Between the two, well it depends..."

  • [August 30, 2002] "Out with AOL, in with Jabber." By Paul Festa. In CNET News.com (August 30, 2002). "When America Online closed its door on efforts to standardize instant messaging, a new one may have opened for Jabber. Jabber, the XML-based instant messaging application that interoperates with multiple IM services, is close to winning approval for its own dedicated working group within the Internet Engineering Task Force (IETF), a development that would elevate the technology from one of many competing IM also-rans to that of a potential industry standard. 'They're pushing for a working group,' said Ned Freed, the IETF's co-area director for applications and member of the group's decision-making Internet Engineering Steering Group (IESG). 'I suspect we will be approving it in the very near future.' ... The IETF-proposed standard for instant messaging that AOL abandoned is still in progress. Dubbed SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions), it is an instant-messaging application of the IETF's Session Initiation Protocol (SIP), a technology with numerous applications apart from IM. SIMPLE proponents, however diminished in strength without AOL's backing, are putting up a fight to resist the Jabber invasion, arguing that the IETF's energies are divided enough as it is without adding another instant messaging protocol to the mix. In fact, there is a large handful of IM-related activities, variously competing and complementary with each other, in progress under the IETF's auspices. In addition to SIMPLE, they include Application Exchange (APEX), a still-ongoing project that even its working group chair acknowledges is unlikely to prosper; the now moribund Presence and Instant Messaging Protocol (PRIM), which backers hope to revive in the future; and the Instant Messaging and Presence Protocol (IMPP), a group working on Common Presence and Instant Messaging (CPIM)... Jabber proponents argue that an XML-based protocol would find a warm reception on the Internet, where the number of XML-based documents and applications is burgeoning. And should the IETF approve a Jabber working group, it would start out with an installed base that no other IETF instant messaging activity can match. Jabber now claims that 'as many as 100,000 of its servers are running across the Internet, with millions of people using the application. Licensees of Jabber's enterprise-grade software include AT&T, Hewlett-Packard, Walt Disney, BellSouth, France Telecom and VA Linux Systems...Jabber -- which exists as both the for-profit Jabber.com and the open-source development group 'The Jabber Software Foundation' -- has much to gain from the potential IETF working group. In addition to the prestige and possible surge in adoption that IETF recognition would bring, Jabber backers are hoping that in exchange for ceding control of the technology to the IETF, they might get valuable technical help in areas where Jabber badly needs it -- namely security and internationalization..." See: "Jabber XML Protocol."

  • [August 30, 2002] "Resource Description Framework (RDF): Concepts and Abstract Data Model." Edited by Graham Klyne (Clearswift and Nine by Nine) and Jeremy Carroll (Hewlett Packard Labs). Series editor: Brian McBride (Hewlett Packard Labs). W3C Working Draft 29-August-2002. Version URL: http://www.w3.org/TR/2002/WD-rdf-concepts-20020829/. Latest version URL: http://www.w3.org/TR/rdf-concepts/. Produced by the W3C RDF Core Working Group as part of the W3C Semantic Web Activity. The Resource Description Framework (RDF) is a data format for representing metadata about Web resources, and other information. This document defines the abstract graph syntax on which RDF is based, and which serves to link its XML serialization to its formal semantics. It also describes some other technical aspects of RDF that do not fall under the topics of formal semantics, XML serialization syntax or RDF schema and vocabulary definitions (which are each covered by a separate document in this series). These include: discussion of design goals, meaning of RDF documents, key concepts, character normalization and handling of URI references... The normative documentation of RDF falls broadly into the following areas: (1) XML serialization syntax [RDF/XML Syntax Specification (Revised)]; (2) formal semantics [RDF Model Theory]; (3) RDF vocabulary definition language (RDF schema) [RDF Vocabulary Description Language 1.0: RDF Schema], and (4) this document, which covers the following: discussion of design goals, meaning of RDF documents, key concepts, abstract graph syntax, character normalization, and handling of URI references..." See: (1) W3C website section for Resource Description Framework (RDF); (2) local references in "Resource Description Framework (RDF)."

  • [August 30, 2002] "Validation by Instance." By Michael Fitzgerald. From XML.com. (August 28, 2002). ['Michael Fitzgerald shows a convenient way to write schemas for validating XML documents. Rather than modeling the schema from scratch, Michael shows how to derive schemas (DTDs, RELAX NG, and W3C XML Schema) from instance documents.'] "Most people these days develop XML documents and schema with a visual editor of some sort, perhaps Altova's XML Spy, Tibco's TurboXML, xmlHack from SysOnyx, or Oxygen. Some even use several editors on a single project, depending on the strengths of the software. Others prefer to work closer to the bone. I usually develop my schema and instances by hand, using the vi editor, along with other Unix utilities (actually, I use Cygwin on a Windows 2000 box). I don't want to make more work for myself, but I prefer to use free, open source tools that allow me to make low-level changes that suit my needs. If you prefer to work this way, you should enjoy this piece. In this article, I will explore how you can translate an XML document into a Document Type Definition (DTD), a RELAX NG schema, and then into an W3C XML Schema (WXS) schema, in that order. I'll do this with the aid of several open source tools, and I'll also cover a way to validate the original XML instance against the various schemas. [1] Translating the DTD to RELAX NG: James Clark's DTDinst is a Java tool that translates a DTD either into its own XML vocabulary or into a schema in RELAX NG's XML syntax. After downloading and installing dtdinst.jar, you can issue the following command to translate a DTD into RELAX NG: [2] Translating an XML Document into a DTD: To translate the XML document into a DTD, I'll use Michael Kay's DTDGenerator. Originally, DTDGenerator was part of the Saxon XSLT processor, but now it is separate. At just 17kb, it's a pretty small download. DTDGenerator does a fair amount of work for you, but it doesn't produce parameter entities, notation declarations, or entity declarations. It's also not namespace-aware, but DTDs aren't inherently aware of namespaces or qualified names anyway. [3] Translating RELAX NG to XML Schema: Trang is a another tool written by James Clark. It can take as input a schema written in RELAX NG XML and compact syntax; it can produce RELAX NG XML, RELAX NG compact syntax, DTD, and WXS as output. After downloading Trang (which includes a JAR file for Jing, a RELAX NG validator), unzipping and installing it, you can convert the RELAX NG schema back to a DTD new-event.dtd ... If you work on the Windows platform, I have also written a set of batch files that will perform all the translations (from instance, to DTD, to RELAX NG, and finally to W3C XML Schema) and then validate against them in one simple step... Using the tools I've described here, you can perform the conversions and validate against the resulting schemas in a matter of seconds. You may still prefer to use a visual editor, but I believe that learning and using these tools can save you time and money..." See general references in "XML Schemas."

  • [August 30, 2002] "Transporting Binary Data in SOAP." By Rich Salz. From XML.com. (August 28, 2002). ['In his monthly Web services column, XML Endpoints, Rich Salz tackles the problem of sending binary data using SOAP. There are several solutions to this problem, and this month Rich looks at "SOAP Messages with Attachments".'] "... it's not good to try to embed arbitrary binary or XML content into another XML document. This is particularly bad news for SOAP and web services, since SOAP messages are XML documents with a thin layer -- a SOAP bubble, perhaps? -- around them. The right approach is to pull the embedded content out of the XML container, and replace it with a link. Fortunately, SOAP defines the href attribute that makes such linking fairly easy... Usually it's necessary to bundle the data with the message. When this is done, we typically call the SOAP message the payload and the data that used to be embedded as attachments. There are three common formats for doing this. In no particular order, they are (1) SOAP Messages with Attachments (SwA), which uses multi-part MIME; (2) DIME, a binary packaging format created by Microsoft; (3) BEEP, a very powerful facility by protocol expert Marshall Rose. We'll look at each of these in turn, starting with SwA for the rest of this column, and DIME and BEEP in subsequent months. While "direct handling of binary data" was explicitly declared to be out of scope for the W3C SOAP working group, this should change once SOAP 1.2 enters the standardization track. Using one of the existing mechanisms seems the most reasonable way to move forward... SOAP Messages with Attachments is a W3C Note, just like SOAP 1.1. It was published in December of 2000, seven months after the SOAP Note. The name turns out to have been unfortunate, having usurped the obvious generic term. SwA is very simple: the first part of the multipart MIME message is the XML SOAP document; the subsequent parts contain the attached data. The bulk of the document addresses URI resolution, particularly relative URIs. If we ignore them and always use absolute URIs (the current recommendation), the specification becomes even simpler. In the example below, we'll use email-like Message-IDs as our identifiers, as they have the convenient properties of being globally unique and absolute. We'll just attach a prefix to a single Message-ID to distinguish the parts..." See also (1) "Direct Internet Message Encapsulation (DIME)"; (2) "Blocks eXtensible eXchange Protocol Framework (BEEP)." General references in "Simple Object Access Protocol (SOAP)."

  • [August 30, 2002] "Nobody REALLY Asked Me, But..." By John E. Simpson. From XML.com. (August 28, 2002). ['The summer sun might possibly have gone to the head of John Simpson, our XML Q&A columnist. In this month's column he investigates XSLT scripts for obscuring XML documents.'] "How can I use XSLT to mask not only the markup, but the content of my XML document?...[beer, hack, more beer, hack] As I said in last August's column, this may be pretty effective at stopping a casual reader of the document. But naturally, it falls down as soon as the reader recognizes the document's ROT-13 nature, because she can fairly easily build a 'de-ROT-13' routine to turn the document back into its cleartext form. Incidentally, continuing to discuss all this as 'ROT-13' encoding is a little misleading. That name derived from the fact that 26 letters could be rotated 13 places to produce a simply coded result. What we've now got rotates 52 letters (including lower- and uppercase variants), 10 digits, and 30 punctuation characters. Thus, this form of the encoding might better be referred to as something like ROT-46, or maybe ROT-26,5,15. If you're interested in pursuing this further on your own, you could rotate the characters an arbitrary number of places -- perhaps driven by a global parameter whose value is passed in from outside the stylesheet..."

  • [August 30, 2002] "W3C, OASIS Look For Common Web Services Ground." By Richard Karpinski. In InternetWeek (August 29, 2002). "The World Wide Web Consortium (W3C) and OASIS -- two bodies building critical Web services and security standards -- held a public forum this week to better coordinate their work in this crucial area... The two standard bodies are wrestling with how to avoid overlap while also coordinating their efforts to ensure key Web and XML specifications remain interoperable. The W3C has created core Web standards ranging from HTML to XML, as well as Web services security standards such as XML-Encryption and XML-Signatures. It has also formed a Web Services Architecture group to guide the big picture deployment of these new, more distributed services architectures. OASIS, meanwhile, was first known for its work on the global e-business standard ebXML but has come on particularly strong in the world of Web services and especially XML security. It now runs six technical committees looking at Web services security, including technologies for authentication, access control, provisioning, biometrics, digital rights, and overall Web services security... The W3C and OASIS already work together at an informal level -- and it's important to note that OASIS is actually a W3C member. Overall, the W3C looks to be best at developing infrastructure-level specifications, especially those that affect the World Wide Web. OASIS works a level up, focusing on e-business and increasingly business-driven Web services and security applications that in many cases consume W3C specs..." See references to the Forum on Security Standards for Web Services and list of presentations.

  • [August 30, 2002] "Iona CTO Touts Web Services 'Standardization Dream'." By Carolyn A. April. In InfoWorld (August 29, 2002). "Unlike earlier distributed computing technologies, Web services and XML give the software industry a chance to finally realize the 'standardization dream' enjoyed by industries such as transportation and manufacturing, said Iona CTO Eric Newcomer here Thursday... Web services interfaces and standards will enable the lashing together of commodity application functions such as billing systems or credit check approval processes, freeing companies to focus on the value-added elements of particular applications... And while more established distributed computing middleware, such as CORBA, features more robust, reliable technology, Web services will ultimately prevail as the dominant system-to-system integration mechanism because it is based on the Internet and standards and affords a higher level of abstraction to developers through XML versus a language like C and the use of IDLs, he said... To get there, however, Newcomer believes the standards around quality of service features such as security, workflow, and transactions will need to be ironed out -- no easy task given increasing fragmentation among vendors and standards bodies. Agreement on this second layer of standards, above the core XML, SOAP, UDDI, and WSDL, will be slower to come because vendors have money at stake around these protocols, he predicted... In addition, Newcomer said the establishment of a standard Web services reference architecture will be essential to adoption. The W3C, of which Newcomer is a member, is currently working on such an architecture and will release a proposal for public review sometime next month, he said..."

  • [August 30, 2002] "Standards Bodies Seek to Reconcile Web Services Security." By Shawna McAlearney. In Security Wire Digest Volume 4, Number 65 (August 29, 2002). Report from the Boston Forum on Security Standards for Web Services. "Seeking common ground for the implementation of Web security standards, the Organization for the Advancement of Structured Information Standards (OASIS) and the World Wide Web Consortium (W3C) took a small step forward Monday to reconcile differences in integration and resource allocation. 'We are looking at ways in which we can maximize the consistency across the standards,' says Phillip Hallam-Baker, a Web services security architect at VeriSign. 'The whole industry realizes the potential of Web services, but without trust and security Web services are dead on arrival.' According to Hallam-Baker, the W3C and OASIS working groups are addressing different levels of security infrastructure... The key standards under W3C include XML Encryption, XML Signature and eXtensible Key Management Specification (XKMS). OASIS's key standards include eXtensible Rights Markup Language (XrML); WS-Security; Security Assertion Markup Language (SAML); and eXtensible Access Control Markup Language (XACML). 'For example XKMS and SAML both define a mechanism for authenticating SOAP messages,' says Hallam-Baker. 'WS-Security is a level higher, encompassing our experience with XKMS and SAML and providing a framework for applying standards to authenticate and encrypt any type of Web services message..."

  • [August 30, 2002] "Web Services Security Standards Forum." Technical Keynote by Dr. Phillip M. Hallam-Baker C.Eng. FBCS (VeriSign Inc) presented at the Forum on Security Standards for Web Services, Boston, 26 August, 2002. The Forum was co-sponsored by OASIS and W3C. "What Parts of Web Services Security Should Be Infrastructure? Replicate security context provided by O/S: [1] Protected Memory (Prevents modification of process state; Prevents interception of function calls; Prevent disclosure); [2] Access Control (Authentication; Authorization; Auditing). Problem Space: [1] Infrastructure: Policy, Conversation, Confidentiality, Integrity, Access Control; [2] Security Infrastructure Services: Trust, Authorization, Authentication, Attributes; [3] Applications: Funds Transfer, Payroll, Inventory, Purchasing. Without Security and Trust: Web Services are Dead On Arrival. Conclusions: Considerable progress has already been made; Industry wide consensus on value of standards; Basic Infrastructure is in place or in development; There is considerable consensus on the roadmap; Security need not be the show stopper..." [source .PPT]

  • [August 30, 2002] "OASIS XACML TC and Rights Language TC." By Hal Lockhart (Entegrity). Among the presentations given at the Forum on Security Standards for Web Services, Boston, 26 August, 2002. XACML and RLTC 'Forty Thousand Foot View': Both deal with the problem of Authorization; Both draw requirements from many of the same application domains; Both share many of the same concepts, but in some cases use different terms; Both base specification on XML Schema; Each approaches the problem differently. Types of Authorization Information: [1] Attribute Assertion (Properties of a system entity, typically a person; Relatively abstract - business context; Same attribute used in multiple resource decisions; Examples: X.509 Attribute Certificate, SAML Attribute Statement, XrML PossessProperty); [2] Authorization Policy (Specifies all the conditions required for access; Specifies the detailed resources and actions/rights; Can apply to multiple subjects, resources, times...; Examples: XACML Policy, XrML License, X.509 Policy Certificate); [3] AuthZ Decision (Expresses the result of a policy decision; Specifies a particular access that is allowed; Intended for immediate use; Example: SAML AuthZ Decision Statement). Web Services Security: [1] SAML, XACML and RLTC Spec can all convey AuthZ Info, carry in SOAP header [2] Possible use in Policy Advertisement [3] Issues: Substantial overlap between SAML/XACML & XrML - not clear what is best for what use; Intellectual Property Issues; Controversies over DRM itself; XACML and XrML are complex, will take time to understand. See: (1) "Extensible Access Control Markup Language (XACML)"; (2) "OASIS Rights Language." [source .PPT]

  • [August 30, 2002] "OASIS Fuels Security Agenda." By Brian Fonseca. In InfoWorld (August 30, 2002). "Next week, 95 individuals representing 56 different companies will meet in Redwood City, Calif. [...] in a new TC (technical committee) being formed by the Organization for Advancement of Structured Information Standards (OASIS) to address the WS-Security specification, said Kelvin Lawrence, distinguished engineer at Armonk, N.Y.-based IBM and co-chair of the OASIS WS-Security TC. Lawrence said a complete list of accepted members will appear on the OASIS Web site after the meeting. OASIS members that have proposed TC participation include BEA Systems, Cisco, Intel, IBM, Microsoft, Sun Microsystems, Entrust, IONA, Novell, VeriSign, Netegrity, Oblix, SAP, RSA, Baltimore Technologies, OpenNetwork, Systinet, and Documentum. Originally created by Microsoft, IBM, and VeriSign, WS-Security proposes a standard building-block set of SOAP extensions to construct secure Web services and offer support for multiple security tokens, trust formats, signature formats, and encryption technologies. The security standards effort taps into a long-held enterprise concerns. According to a Forrester Research report released in June, Web services will remain hidden in the back office until multiple levels of authentication and encryption, centralized authorization and auditing, seamless message signing, and consumption of external authentication services desires are met. IBM's Lawrence said three input documents will be discussed at the inaugural WS-Security TC meeting, including the original WS-Security specification and a submission by the OASIS SAML TC to examine how SAML will utilize WS-Security. A WS-Security addendum will also be introduced as a result of 'lessons learned' during a Web services interoperability test between Microsoft. Net and IBM WebSphere servers at the XML Web Services One conference in Boston this week... This week, the Liberty Alliance Project announced that 30 companies joined its ranks -- boosting total membership to more than 95 companies -- to develop open interoperable specs for federated network identity... According to Rob Cheng, senior iPlatform analyst at Redwood Shores, Calif.-based Oracle and co-chair of the Web Services Interoperability (WS-I) organization's marketing committee, the WS-I is on track to produce Version 1.0 of its WSBasic profile, which will feature sample applications and testing tools, in the fourth quarter. A profile is a set of best practices designed to bridge the gap between standards organizations and end-users." References: (1) "Web Services Security Specification (WS-Security)"; (2) "Liberty Alliance Specifications for Federated Network Identification and Authorization"; (3) "Web Services Interoperability Organization (WS-I)."

  • [August 29, 2002] "OASIS Forms Technical Committee To Tackle UDDI." By Richard Karpinski. In InternetWeek (August 29, 2002). "The OASIS standards group this week launched a new technical committee to oversee the development of UDDI, the registry and lookup technology in the Web services software stack. UDDI.org, which developed the early Universal Description, Discovery and Integration specs, agreed to move UDDI into OASIS last month. At that time, OASIS.org also released version 3.0 of the UDDI specs, which added crucial enterprise functionality such as built-in security and support for digital signatures. At OASIS, UDDI will go through the group's usual standards processes and eventually emerge with a consensus-driven, 1.0 version of a UDDI standard... OASIS CEO Patrick Gannon said that UDDI is a good fit for his group, which is 'really about applying core standards and applying them to business needs.' OASIS has taken many important standards processes, including ebXML, WS-Security, and others..." See details in the 2002-08-29 news item "OASIS UDDI Specification Technical Committee Continues Work on Web Services Registry Foundations.". General references: "Universal Description, Discovery, and Integration (UDDI)."

  • [August 29, 2002] "Internet Open Trading Protocol Version 2 Requirements." By Donald E. Eastlake 3rd (Motorola). Request for Comments (RFC): 3354. Date: August 2002. I-D Tag: 'draft-ietf-trade-iotp2-req-02.txt'. "This document gives requirements for the Internet Open Trading Protocol (IOTP) Version 2 by describing design principles and scope and dividing features into those which will, may, or will not be included. Version 2 of the IOTP will extend the interoperable framework for Internet commerce capabilities of Version 1 while replacing the XML messaging and digital signature part of IOTP v1 with standards based mechanisms... IOTP v2 will provide optional authentication via standards based XML Digital Signatures [RFC 3275]; however, neither IOTP v1 nor v2 provide a confidentiality mechanism. Both require the use of secure channels such as those provided by TLS [RFC 2246] or IPSEC for confidentiality and depend on the security mechanisms of any payment system used in conjunction with them to secure payments..." WG description from the charter: "The Internet Open Trading Protocol is an interoperable framework for Internet commerce. It is optimized for the case where the buyer and the merchant do not have a prior acquaintance and is payment system independent. It can encapsulate and support payment systems such as SET, Mondex, secure channel card payment, GeldKarte, etc. IOTP is able to handle cases where such merchant roles as the shopping site, the payment handler, the deliverer of goods or services, and the provider of customer support are performed by different Internet sites. The working group will document interoperability experience with IOTP version 1 (which has been published as an Informational RFC) and develop the requirements and specifications for IOTP version 2. Version 2 will make use of an independent Messaging Layer and utilize standard XML Digital Signatures." See (1) Internet Open Trading Protocol (Trade) Working Group; (2) "Internet Open Trading Protocol (IOTP)." [cache]

  • [August 29, 2002] "Cape Clear Offers WSDL Editor." By Carolyn A. April. In InfoWorld (August 29, 2002). "Cape Clear Software next week will serve up a graphical WSDL (Web Services Description Language) Editor designed to simplify and encourage development of Web services applications. A core standard around Web services, WSDL provides a standard way to describe what a service does, in terms of its functionality, specifications, inputs, outputs, and accessibility methods. The WSDL Editor, which will be available for free download, is focused on helping developers design the WSDL for a particular Web service up front -- before they do any coding of the application itself, according to officials at Dublin, Ireland-based Cape Clear... [John] Maughan said this top-down tack has several advantages over a 'bottom-up' approach of coding first and then creating WSDL, among them: the separation of design over development and implementation; interoperability across development frameworks such as J2EE and .Net; and the ability for Web services consumers and producers to work in parallel and for corresponding developers to use different languages. Likening the tool to a WYSIWYG HTML editor for building Web pages, Maughan said the WSDL Editor is best used for development projects that start from scratch or for those that center on building a Web service based on an existing XML schema, such as SWIFT or RosettaNet. In cases where a developer plans to expose existing code as a Web service, the better choice for creating WSDL is a 'generator' that automatically spits out WSDL code around the application, he added... Cape Clear officials said the WSDL Editor is also an attempt to encourage Web services development in general..."

  • [August 29, 2002] "XML Web Services: Is the End Near?" By Darryl K. Taft. In eWEEK (August 28, 2002). "For the second day in a row at the XML Web Services One conference here, a keynote speaker got up and signaled the impending end to the Web services era, at least on a standards level. Don Box, an architect in Microsoft Corp.'s developer division told an audience of Web services conference attendees Wednesday: 'The end of the XML Web services era is near. I predict two years from now we won't have this conference'... Box said Microsoft has been moving awfully fast with its Global XML Architecture (GXA) for Web services; an interoperability demonstration between IBM and Microsoft here at the conference [serves] as evidence that the technology is constantly improving... Box posed the question of why Microsoft is pursuing a Web services strategy. 'Because we hit the wall with the prior technology,' he said. He said Microsoft's COM (Component Object Model) and DCOM (Distributed Component Object Model) hit the wall. 'On the XML front we needed a replacement for DCOM, so XML Web services is the way we went. Microsoft has bet the company on this thing and it is our intention to make all software integration based on Web services.' In addition, he said, some of the Web services standards are mature and need to be finalized. He said the Simple Object Access Protocol (SOAP) 1.3 is a bad idea because the specification covers all the necessary functionality for a SOAP implementation. 'SOAP 1.2 should be the end of the line,' he said. Box also said Universal Description, Discovery and Integration (UDDI) is the technology of the future, but that may change in 2003. Microsoft is shipping UDDI as part of its operating system, Box said..." See: (1) "Universal Description, Discovery, and Integration (UDDI)"; (2) "Microsoft Announces Web Services Development Kit Technology Preview."

  • [August 28, 2002] "Liberty Alliance Picks Up More Members." By Matt Berger. In InfoWorld (August 28, 2002). "Another 30 companies have thrown their support behind Liberty Alliance Project, an effort to create a standard technology that allows users to travel password-protected Web sites using a single user name and password. The effort is backed by Sun Microsystems and a number of hardware, software and consumer services companies as diverse as United Air Lines, General Motors and American Express. It now has more than 95 members from private industry, not-for-profit organizations and government, the group said in a statement Wednesday. New members include Sprint, security and authentication technology maker Baltimore Technologies, network management software maker Oblix, and Internet2, a consortium of university researchers, private industry and government agencies that are working to develop and deploy advanced network applications. The Liberty Alliance released the first version of its specification in July based on the security standard SAML (Security Assertion Markup Language). As it is designed, users would be able to use a single online identity to traverse Web sites or gain access to corporate applications and databases that support the Liberty Alliance specification. The specification allows Web site operators to build in functions that allow users to 'opt-in' to share their user name and password with other Liberty-enabled Web sites, as well as a 'global log out' for signing off all participating Web sites in a single action. A similar technology is available from Microsoft through its Passport authentication service, with which users can travel Passport member Web sites without having to re-enter a user name and password each time. Microsoft and the Liberty Alliance have yet to synchronize their efforts, though Microsoft said in July that it would include support for SAML in future versions of its Windows operating system..." See: (1) the text of the announcement: "Liberty Alliance Increases Ranks With 30 New Members From Across The Globe"; (2) "Liberty Alliance Specifications for Federated Network Identification and Authorization."

  • [August 28, 2002] "DataPower delivers XML Acceleration Device." By Scott Tyler Shafer. In InfoWorld (August 28, 2002). "Datapower Technology on Monday unveiled its network device designed specifically to process XML data. Unlike competing solutions that process XML data in software, DataPower's device processes the data in hardware -- a technology achievement that provides greater performance, according to company officials. The new device, dubbed DataPower XA35 XML Accelerator, is the first in a family of products expected from the Cambridge, Mass.-based startup. The DataPower family is based on a proprietary processing core technology called XG3 that does the analysis, parsing, and processing of the XML data. According to Steve Kelly, CEO of DataPower, the XA35 Accelerator was conceived to meet the steady adoption of XML, the anticipated future proliferation of Web services, and as a means to share data between two businesses. Kelly explained that converting data into XML increases the file size up to 20 times. This, he said, makes processing the data very taxing on application servers; DataPower believes an inline device is the best alternative. In addition to the large file sizes, security is also of paramount importance in the world of XML... According to DataPower, most existing solutions to offload XML processing are homegrown and done in software -- an approach the company itself tried initially and found to be inadequate with regards to speed and security. After trying the software path, the company turned to creating a solution that would process XML in hardware... Other content-aware switches, such as SSL (secure socket layer) accelerators and load balancers, look at the first 64 bytes of a packet, while the XA35 provides deeper packet inspection, looking at 1,400 bytes and thus enabling greater processing of XML data, Kelly explained. The 1U-high network device has been tested against a large collection of XML and XSL data types and can learn new flavors of the markup language as they pass through the device..." See the announcement "Datapower Technology Delivers Industry's First Wire-Speed Intelligent XML-Aware Network Device. Datapower XA35 XML Accelerator Solves Performance and Scalability Issues for XML Web Services and Enterprise Applications."

  • [August 28, 2002] "Standardizing Web Services Nears Completion." By Darryl K. Taft. In eWEEK (August 28, 2002). "The effort to standardize the Web services arena is but six to nine months from completion, but the work necessary to implement all the standards to create a totally services-oriented architecture is at least a year to two years away, according to one IBM executive. Robert Sutor, IBM's director of e-business standards strategy, demonstrated at the XML Web Services One conference here interoperability between an IBM WebSphere-based Web services system and a Microsoft Corp. .Net Web services system. The scenario included a client, a brokerage house and trade desks at an institution, where each point was able to swap code between WebSphere and .Net. 'The demo showed the degree to which WebSphere and .Net could interoperate on a standard level,' Sutor said. The demonstration used the SOAP (Simple Object Access Protocol), WSDL (Web Services Description Language), WS-Security and WS-Attachments... There is still work to be done on Web services security, but the recent move of the WS-Security specification into the OASIS standards organization should help to move that forward, according to Sutor. Indeed, he said, business processing, workflow, transactions and systems management are going to be big areas for the future. 'We'll be spending the next couple of years in standards organizations finalizing these things,' Sutor said. 'The standardization work will continue, but for the big picture we've only got six to nine months on this.' ... Meanwhile, Sutor said the Web Services Interoperability organization, which IBM founded with Microsoft, BEA Systems Inc. and other companies, has played a crucial role already in the Web services arena. 'With WS-I there's much better liaison between OASIS and the W3C..." See: "Web Services Interoperability Organization (WS-I)."

  • [August 28, 2002] "Check Point Tweaks Firewall To Secure Web Services." By Richard Karpinski. In InternetWeek (August 28, 2002). "Striking back against growing numbers of specialty XML security appliances, firewall and security vendor Check Point Software Tuesday released a free upgrade to its firewall to help enterprises secure XML- and SOAP-based traffic. The new capabilities -- dubbed Application Intelligence Technology -- will be available as a no-charge feature for licensed users of Check Point's firewall and VPN offerings. The market has been flooded with a slew of so-called 'XML firewalls' of late, or standalone servers or appliances that aim to inspect and secure Web services traffic separate from network-level security devices and firewalls. Those vendors say that XML processing and security is so fundamentally different than what happens at a network firewall that it requires a new firewall altogether. Check Point, in comparison, not only believes that XML processing can happen on firewall boxes, but that application-layer security on those firewalls shouldn't just be limited to HTTP- and XML-based traffic, but should support a wide array of application security measure, said April Fontana, Check Point product marketing manager... In addition, by placing XML and network firewall security on the same box, it assures that network-level attacks -- such as denial of service or IP spoofing -- don't take down a standalone XML firewall... Security for XML and SOAP will be available at no additional cost in the latest version of Check Point VPN-1/FireWall-1 Next Generation, Feature Pack 3, starting in September." See the announcement "Check Point Software First to Secure Web Services. XML/SOAP Security Made Possible With Breakthrough Application Intelligence Technology."

  • [August 28, 2002] "Liberty Alliance Adds Technical Muscle." By Sandeep Junnarkar. In CNET News.com (August 28, 2002). "The Liberty Alliance Project added a new member on Wednesday, boosting its efforts to establish an online authentication plan to compete with Microsoft's Passport online ID system. Bridgewater Systems said it plans to provide technical expertise in network identification and authentication to Liberty's quest to establish new standards in online authentication systems. The Canadian software developer joins a growing number of companies aligned with Sun Microsystems' Liberty Alliance effort. Heavyweights like American Express, America Online and Hewlett-Packard are among the other members. The group is trying to establish a standard method for online identification that would let a computer user log on once, to one Web site, then have other sites recognize that user as authenticated. Bridgewater supplies software to network service providers that allows them to differentiate access to wireline and wireless services based on the identity of the user or the application. This capability, Bridgewater said, lets service providers solve problems such as how to account for services and track them, and how to prevent unauthorized access... Sun and Microsoft... are each rushing to build and market an authentication system that consumers and businesses alike will trust. Such identity systems are an essential ingredient if next-generation Web services are to actually become mainstream, bringing useful new Internet services to businesses and consumers. Sun is counting on Liberty to become part of the pantheon of Web services standards, and it has been pushing to have such specifications be royalty-free. Liberty's 'single sign-on' standard is based on another newly released standard, the Security Assertion Markup Language (SAML)..." See: (1) the announcement: "Liberty Alliance Increases Ranks With 30 New Members From Across The Globe"; (2) "Liberty Alliance Specifications for Federated Network Identification and Authorization."[source]

  • [August 28, 2002] "Answering the Critical Web Services Questions." By Peter Fischer. In Application Development Trends Volume 9, Number 7 (July 2002), pages 51-57. ['The hyperbole surrounding the Web services phenomenon appears to be reaching its peak; now IT developers must determine whether the technology can really be a key enabler for enterprise portals and application integration.'] "Web services' capabilities and features are not new. The idea of providing distributed software services has been around for more than a decade. Technologies like RPC, DCOM and CORBA were built from a client/server foundation focused on creating a standard technology platform on which to accomplish 'true' app-to-app communication by providing access to remote methods. Messaging then came along and freed us from the shackles of synchronous communication, enabling point-to-point and Publish/Subscribe communication models utilizing messages as the 'exchange currency.' ... The technologies that work together to provide this ubiquitous standard connectivity are XML, SOAP, WSDL and UDDI. These technologies work together to provide a Web services model with important functionality: a loosely coupled model for exchanging information; a standard format for packaging and sending data over the wire; the ability to make interface definitions available; the ability to locate and register interest in a service; and the ability to describe the capabilities of a service and information about how to access a service... From a technical perspective, Web services fills in what EAI lacked -- a standard, on-the-wire format to enable app components to exchange messages in an implementation-independent way. Web services, through SOAP and XML, provides this format and 'XML-itizes' app integration. Combining its loosely coupled nature with standard-driven technologies that are 'toolable,' Web services is a good approach to app integration in the small. The sweet spot for Web services is sharing business logic in a non-intrusive way. Existing interfaces can be 'e-nabled' for integration within the enterprise and between partners and customers. Web services provide an 'inside out' approach to app integration where existing interfaces are wrapped as components with interfaces specified in XML in WSDL files... The Web services technology stack is penetrated through the use and leverage of XML. XML provides the lingua franca of Web services; every other Web services technology eats and breathes XML. I use the term 'informational middleware' to describe XML's power, applicability and potential. Web services finally realize XML's promise by providing the standard format for specifying both application interfaces and application messages... Firms should not delay in adopting Web services as an integral component of their IT toolkits. Despite the fact that interfaces like UDDI are still maturing, and security is still a work in progress, the foundation technologies of XML, SOAP and WSDL are mature and well formed..."

  • [August 27, 2002] "XML-Signature XPath Filter 2.0." W3C Proposed Recommendation 27-August-2002. Authors/Editors: John Boyer (PureEdge Solutions Inc.), Merlin Hughes (Baltimore Technologies Ltd.), and Joseph Reagle (W3C). Version URL: http://www.w3.org/TR/2002/PR-xmldsig-filter2-20020827. The PR specification "describes a new signature filter transform that, like the XPath transform (XML-DSig, section 6.6.3), provides a method for computing a portion of a document to be signed. In the interest of simplifying the creation of efficient implementations, the architecture of this transform is not based on evaluating an XPath expression for every node of the XML parse tree (as defined by the XPath data model). Instead, a sequence of XPath expressions are used to select the roots of document subtrees -- location sets, in the language of XPointer -- which are combined using set intersection, subtraction and union, and then used to filter the input node-set. The principal differences from the XPath transform are: A sequence of XPath operations can be executed in a single transform, allowing complex filters to be more-easily expressed and optimized. The XPath expressions are evaluated against the input document resulting in a set of nodes, instead of being used as a boolean test against each node of the input node-set. To increase efficiency, the expansion of a given node to include all nodes having the given node as an ancestor is now implicit so it can be performed by faster means than the evaluation of an XPath expression for each document node. The resulting node-sets can be combined using the three fundamental set operations (intersection, subtraction, and union), and then applied as a filter against the input node-set, allowing operations such as signing an entire document except for a specified subset, to be expressed more clearly and efficiently..." See IETF/W3C XML Signature Working Group.

  • [August 27, 2002] "What's Behind BEA's Big Bet On Tools?" By Jack Vaughan. In Application Development Trends Volume 9, Number 8 (August 2002), pages 48-55. ['The company started life with the Tuxedo transaction monitor, then its WebLogic Java application server redefined the middleware market. Now BEA Systems will seek to entice a broader group of developers to work with Java.'] "...In the last five years, BEA Systems has hurdled into the top ranks of enterprise software companies. And it did it on the back of one of the hottest products the industry has ever seen. BEA's WebLogic application server was the proverbial right product in the right place at the right time. San Jose, Calif.-based BEA appears to sense it may be time to turn its back on the notion that tools should be completely independent of runtime software, and it is now ready to push tools along with its platforms. It is also wagering that Java needs a mainstream IDE to attract wider use. Thus, the firm is beginning to promote its WebLogic Workshop software at the same time it shows diminished interest in technical Java tools from Santa Clara, Calif.-based WebGain, a third-party tool maker BEA helped fund, but which has struggled in recent months. A number of traits have merged harmoniously, creating success for the WebLogic server over the last few years.The BEA application server was fast, had an architecture that impressed enterprise shops with transaction processing backgrounds, and it adhered carefully to the new J2EE compatibility standard. With the Java application server, the foggy notion of 'middleware' gained definition, and BEA's WebLogic server was the most brilliant example... BEA has begun to tout its new line of WebLogic Workshop tools,which is a change for a company that avoided making tools in the past... BEA has been quickly forced into the role of big league player. But it has not proved shy about driving change. More barbs will come its way. Its WebLogic Workshop offering especially will come in for arrows from competitors that challenge whether it is truly standard Java. While BEA has tried to create a way of abstracting complexity without disrupting standard Java, Workshop must rely on useful, callable BEA-created components for handling some common but difficult Java programming tasks. In the loosely knit Java community, that is usually an ingredient for controversy... Having reached nearly $1 billion in yearly revenue, said Gartner's Natis, BEA is a vendor at a crossroads. Getting to higher revenues will be difficult. BEA comes to its present position with some brave plans that, at the very least, help to make the software business interesting. In the end, corporate application managers and programmers will decide, as ever, if the products live up to the promise..."

  • [August 27, 2002] "Microsoft Delivers Web Services Toolkit." By Richard Karpinski. In InternetWeek (August 27, 2002). "Microsoft this week made available an add-on to its Visual Studio development platform that makes it easier for developers to build applications that support the Web services specifications it is forwarding. The new Microsoft Web Services Development Kit supports specs such as WS-Security, WS-Routing, and WS-Attachments. Though there is broad industry support behind some of these efforts -- especially WS-Security, which now has wide backing and is on a standards track in the OASIS group -- none are yet official standards. Yet the specs are strongly backed by Microsoft, and thus inclusion of them in the popular Visual Studio not only puts them into wide use, it sets up a scenario that could push rivals -- such as Sun Microsystems -- to back the specs or push its developers in another direction. That begins to move the battle over Web services specs out of the standards bodies and into the marketplace. Microsoft, Sun, and others continue to talk a good game on Web services standards, but some major fissures remain. Perhaps most notably, Sun has not yet been asked to join the Web Services Interoperability group as a board member, it says, a requirement for joining that organization. And while Sun has climbed on board WS-Security, the latest major Web services forwarded at OASIS saw IBM, Microsoft, and BEA taking the lead -- and Sun nowhere to be found. The new development kit is available for free download from the MSDN developer Web site. It plugs into the Visual Studio .Net development tool and fits the company's overall .Net framework..." See details in "Microsoft Announces Web Services Development Kit Technology Preview."

  • [August 27, 2002] "What's New in EJB 2.1?" By Emmanuel Proulx. Published on The O'Reilly Network, ONJava.com (August 14, 2002). "Only a few J2EE application servers are following the EJB 2.0 specification, and already the EJB 2.1 draft specification is out. For you busy folks who want to know about what the future has in store for EJBs but don't have the time to read a 636-page document, here is a quick overview. Fair warning: the specification is a draft, so many parts are incomplete or will change. Quick List of New Features: (1) Message-driven beans (MDBs): can now accept messages from sources other than JMS; (2) EJB query language (EJB-QL): many new functions are added to this language: ORDER BY, AVG, MIN, MAX, SUM, COUNT, and MOD; (3) Support for Web services: stateless session beans can be invoked over SOAP/HTTP. Also, an EJB can easily access a Web service using the new service reference; (4) EJB timer service: a new event-based mechanism for invoking EJBs at specific times; (5) Many small changes: support for the latest versions of Java specifications, XML schema, and message destinations... The ejb-jar.xml standard deployment descriptor is now specified with XML schema, rather than DTD... One of the best features of EJB 2.1 is the support for Web services. This applies to two different areas: accessing an EJB as if it were a Web service, and an EJB directly accessing a Web service. A stateless session EJB can now be accessed through a Web service. In order to do that, the client must use SOAP over HTTP or HTTPS, and use a WSDL descriptor. Furthermore, the stateless session bean must be invoked 'RPC-style'..." See also (1) Enterprise JavaBeans 2.1 as JSR 153; (2) Enterprise JavaBeans, 3rd Edition, By Richard Monson-Haefel.

  • [August 27, 2002] "W3C, OASIS Meet Over Web Security Standards." By Darryl K. Taft. In eWEEK (August 27, 2002). "Despite the best efforts to come to agreement on Web security standards, two leading standards bodies can best say they have made a start on moving to a common set of standards. At the XML Web Services One Conference in Boston, the Organization for the Advancement of Structured Information Standards (OASIS) and the Worldwide Web Consortium (W3C) held an all-day forum to hash out where they need to pool their resources and integrate security standards efforts. 'Standards should be enablers, not limiters,' said Phillip Hallam-Baker, chief engineer at Revising Inc., which is a co-author of the WS-Security specification. 'Don't complain if companies don't wait for standards to catch up.' He added, 'Without trust and security, Web services are dead on arrival.' Hallam-Baker said key standards under the W3C include XML Encryption, XML Signature and exXensible Key Management Specification (XKMS), whereas the key standards under OASIS include Extensible Rights Markup Language (VRML) WS-Security, Security Assertion Markup Language (SAML), Provisioning, Biometrics and Extensible Access Control Markup Language. Some users expressed the need for more cohesion among the standards. However, Hallam-Baker said there is no standards war. 'Either there is genuinely more than one approach that makes sense' or the individual standards can be put together, he said. And although 'there is lots of potential overlap, we're very capable to start it on a very, very specific theme. You're seeing convergence on a single approach,' he added. However, some users said they cannot wait for the standards bodies to come up with standards because they must implement systems today. Patrick Gannon, CEO of OASIS, said, 'It's not just that we're using standards, but we have the ability to get wide adoption of standards... There will be more coordination [between the W3C and OASIS] moving forward'..." See "Forum on Security Standards for Web Services."

  • [August 27, 2002] "Update on SSML [Speech Synthesis Markup Language Specification]." By Daniel C. Burnett. In VoicexML Review (July/August 2002). "The Speech Synthesis Markup Language (SSML), as its name implies, provides a standardized annotation for instructing speech synthesizers on how to convert written language input into spoken language output. This language has been under development within the Voice Browser Working Group (VBWG) of the World Wide Web Consortium (W3C) for a few years. This article provides a brief update on the status and future of SSML. For background on SSML and an introduction to its features... In April of 2002, the Voice Browser Working Group issued another Working Draft (not a Last Call this time) with some minor content changes. The group is now working towards publication of a new Last Call WD. The April 2002 draft has a fairly small number of changes from the January 2001 draft. It was released primarily to provide XML Schema support for use in VoiceXML and to bring the definition of valid SSML documents in line with that in the other Voice Browser Working Group specifications... The W3C has now moved from encouraging the use of XML Schema to the stronger position of explicitly discouraging the use of DTDs. While the creation of a schema when you already have a DTD is fairly straightforward, the fact that SSML is expected to be embedded in other markup languages (of which VoiceXML is the first example) brought additional requirements to the table: (1) the need to be able to incorporate SSML elements into the host language namespace, (2) the need to modify the SSML elements to add host language-specific attributes and functionality. In the SSML specification the DTD is now informational only, while the schema provides the normative definition of the syntax of the language... Any changes for the next [future] draft are likely to fall into two categories: clarifications of ambiguous or confusing features and text, and the addition features requested or encouraged by other groups in the W3C. Two portions of the specification that were vague in the last Working Draft are the use of the xml:lang attribute and the <say-as> element... The <metadata> element in VoiceXML and SRGS provides a mechanism for expressing information about the document. Both recommend the use of the Resource Description Format (RDF) syntax and schema as the content format for this element; RDF 'provides a standard way for using XML to represent metadata in the form of statements about properties and relationships of items on the Web.' This element (with suggested content structure) is part of the W3C's Semantic Web Initiative, an attempt to develop standard ways of representing the meaning of XML-structured data on the World Wide Web. As such, it is likely that such a capability will be encouraged for SSML..." See: "W3C Speech Synthesis Markup Language Specification."

  • [August 27, 2002] "The IETF Speech Services Control Working Group." By Eric Burger. In VoicexML Review (July/August 2002). "Speech recognition technology has become an essential building block for a new wave of next generation enhanced services. Speech resources such as automated speech recognition (ASR), text-to-speech (TTS), and speaker verification (SV) are becoming key features in a range of new services that help businesses manage their work force and customer base more efficiently and enable consumers to communicate in compelling new ways. We are just now seeing interesting applications where you speak to an application and it responds to you, such as automated stock trading, airline reservations, and e-mail by phone. Speech resources make these interesting and useful applications possible... Right now, most of these applications are experiments, trials, and limited deployments. There are a number of challenges still facing speech resource providers, application developers, and platform manufacturers. The IESG recently chartered speechsc, or the Speech Services Control Work Group of the IETF to develop a more effective protocol for speech recognition technology in next generation networks. This article will briefly discuss what speechsc is, what the expected benefits of the protocol will be, the role of the work group, and the speech services vision... The speechsc Work Group will develop protocols to support distributed media processing of audio streams. The focus of the working group is to develop protocols to support ASR, TTS, and SV. The working group will only focus on the secure distributed control of these servers... The work of the group is complimentary to work going on in other standards bodies. We are coordinating with ETSI Aurora, ITU-T Study Group 16 Question 15, the W3C Multi-Modal Interaction Work Group, and other groups, as appropriate. The speechsc Work Group of the IETF is taking on the interesting work of enabling media servers, VoiceXML Interpreters, arbitrary speech applications, and possibly even wireless handsets to access distributed speech resources. This will enable new and useful applications that are speech driven and integrate multiple media types. The work group will improve upon the existing protocols and produce a robust, extensible protocol that meets the needs of ASR, TTS, and SV today and into the future..." The WG has a Speech Services Control Working Group Discussion list and archives. See also "VoiceXML Forum."

  • [August 27, 2002] "BEA, Palm Partner On Web Services For Handhelds." By Paul Krill. In InfoWorld (August 27, 2002). "PALM and Bea Systems on Tuesday will announce plans to boost development of Web services-based applications for Palm handheld devices. The plan melds Palm's Reliable Transport infrastructure technology with the BEA WebLogic Server 7.0, BEA's J2EE-based application server platform. Developers, the vendors said, will be able to build Palm applications that can either be wireless or downloaded via a Palm cradle to interface to back-end business logic... Through the partnership, a BEA WebLogic Workshop component called a control will be developed to bridge WebLogic to the Palm, according to Chris Morgan, Palm director of strategic alliances. Palm's Reliable Transport technology will be deployed to take care of low-level communications between the applications server and the handheld, Morgan said. Reliable Transport supports protocols such as GPRS. Web services will be deployed with Reliable Transport to move XML and SOAP messages back and forth between the application server and device, said Morgan... To run applications, the Palm client will require the Reliable Transport technology, an XML parser, SOAP engine and, to run Java code, a Java Virtual machine from PalmSource. The Palm control resides on the application server. The Palm-BEA arrangement will enable a single application to be developed for both the Palm and the server, Morgan said. 'Right now, to do this, [developers] would have to do all the business logic in the BEA server. Today, they would then have to write a completely different application for the Palm,' he said. Applications such as travel or expense reports could be deployed on the Palm via the arrangement between the companies, according to Morgan. A beta release of the BEA-Palm software combination is due in late-2002, with general availability planned for the first quarter of 2003..." Related: "Palm and IBM team to deliver wireless solutions." See the announcement: "Palm and BEA Partner to Mobilize Web Services in the Enterprise. Industry Leaders to Enable Enterprises to Develop and Deploy Web Services and Extend Enterprise Data Access to Palm Handhelds."

  • [August 27, 2002] "Burning for Web Services." By Brian Fonseca. In InfoWorld (August 27, 2002). "A battle is brewing between traditional firewall players and a new breed of XML-application firewall vendors as both push wares that promise to protect enterprises from the security threats Web services may bring. Analysts say that whereas most of the mainstream firewall players, such as Symantec, Network Associates, Cisco, and even Microsoft, rest on their laurels, a group of startups is emerging to take dead aim at securing Web services. Stepping forward on Tuesday, Check Point Software Technologies will be the first of the stalwarts to make a move in the Web services sector when it unveils a SOAP and XML strategy within its FP3 (Feature Pack 3) software upgrade. Due next month, FP3 will include SSL VPN capabilities and stateful inspection of SOAP and XML traffic within HTTP and HTTPS, said Neal Gehani, senior product manager at Redwood City, Calif.-based Check Point. FP3 will enable Check Point's products to provide an integrated network and application layer that performs authentication, routing, QoS (quality of service), and management of Web services transactions and messages... Matthew Kovar, an analyst at Cambridge, Mass.-based The Yankee Group, said that Check Point has yet to be tested against new applications that require a stand-alone proxy. Kovar also questioned the company's expertise to identify all types of malicious activities Web services and its protocols may bring... Last week, XML firewall upstart Quadrasis introduced its SOAP Content Inspector, an entry-level point for customers to wrap authentication, authorization, and alerts around bidirectional SOAP and XML messages. The software product offers a proxy-based approach that does not depend on a Web server, and it supports fledgling Web services security standards such as WS-Security, Microsoft Passport, and SAML (Secure Assertion Markup Language)." See the Check Point announcement "Check Point Software First to Secure Web Services. XML/SOAP security made possible with Breakthrough Application Intelligence Technology."

  • [August 26, 2002] "SAML Secures Web Services." By Linda Rosencrance. In ComputerWorld August 26, 2002. ['The Security Assertions Markup Language (SAML) is an XML-based framework for Web services that enables the exchange of authentication and authorization information among business partners.'] 'If an emerging security specification for Web services from the Organization for the Advancement of Structured Information Standards (OASIS) consortium succeeds, the days of multiple sign-ons could be over for companies and their business partners. OASIS is a worldwide not-for-profit consortium that drives the development, convergence and adoption of e-business standards. Its Security Assertions Markup Language (SAML) Specifications Set 1.0 is a vendor-neutral, XML-based framework for exchanging security-related information, called 'assertions,' between business partners over the Internet. OASIS is scheduled to adopt SAML by the end of November, according to Jeff Hodges, co-chairman of the OASIS Security Services Technical Committee, which developed the specification. SAML is designed to deliver much-needed interoperability between compliant Web access management and security products. The result: Users should be able to sign on at one Web site and have their security credentials transferred automatically to partner sites, enabling them to authenticate once to access airline, hotel and rental car reservations systems through Web sites maintained by associated business partners, for example. SAML addresses the need to have a unified framework that is able to convey security information for users who interact with one provider so they can seamlessly interact with another, according to Hodges. SAML doesn't address privacy policies, however. Rather, partner sites are responsible for developing mutual requirements for user authentication and data protection. The SAML specification itself doesn't define any new technology or approaches for authentication. Instead, it establishes assertion and protocol schemas for the structure of the documents that transport security. By defining how identity and access information is exchanged, SAML becomes the common language through which organizations can communicate without modifying their own internal security architectures..." See "Security Assertion Markup Language (SAML)."

  • [August 26, 2002] "What's New in EJB 2.1?" By Tarak Modi. In Java Pro Magazine Volume 6, Number 10 (October 2002). ['The Enterprise JavaBeans 2.1 specification extends the existing Enterprise JavaBeans 2.0 specification with new features, including support for JAXM message-driven beans, enhancements to EJB QL to support aggregate and other operations, support for linking of messaging destinations, support for web services usages within EJB, and a container-managed timer service.'] "Enterprise JavaBeans (EJBs) and the advent of Web services seem to be a good example of this phenomenon. Since the release of EJB 2.0, Web services and associated standards such as Simple Object Access Protocol (SOAP); Web Services Description Language (WSDL); Universal Description, Discovery, and Integration (UDDI); and Electronic Business Extensible Markup Language (ebXML); among others, have gained tremendous momentum. So it should come as no surprise that the draft specification of EJB 2.1 (which Sun released in June 2002 for public review) includes Web services support as one of its major enhancements. Other enhancements in EJB 2.1 allow you to access stateless session beans as Web services and extend message-driven bean component types to other messaging types. The new spec also includes a container-managed timer service. Let's see what these changes will mean for you... The EJB 2.1 deployment descriptor includes a new element called service-endpoint that contains the fully qualified name of the enterprise bean's Web service endpoint interface. This element is a child of the session-beanType element. Only stateless session beans can have the service-endpoint element in their deployment descriptor. The Web service endpoint is exposed only if it is referenced by a Web service deployment descriptor through the service-endpoint element. If this is done correctly during deployment, the container will generate the appropriate classes that implement the Web service endpoint interface... The Web Service endpoint interface facility is available only for stateless session beans. That is, entity beans (container- and bean-managed), stateful session beans, and message-driven beans cannot be made available as Web services. In a way this makes sense because all Web services standards today are meant to support synchronous, stateless Web services, which map very nicely to stateless session beans... Both Java and non-Java clients can access stateless session beans as Web services. A client that is written in Java may access the Web service by means of the Java API for XML-based RPC (JAX-RPC) client APIs, which is part of the Java Web Service Pack release. And of course, all clients can access the Web service through SOAP 1.1 messages over HTTP(S). SOAP messages over other protocols (such as Simple Mail Transfer Protocol [SMTP]) are not yet supported, although such support is included in the SOAP 1.1 specification. To support Web service interoperability, the EJB 2.1 specification requires compliant implementations to support XML-based Web service invocations using WSDL 1.1 and SOAP 1.1 over HTTP 1.1 in conformance with the requirements of JAX-RPC..." See also Enterprise JavaBeans 2.1 as JSR 153.

  • [August 26, 2002] "JAXR: A Web Services Building Block." By Sameer Tyagi. In Java Pro Magazine Volume 6, Number 10 (October 2002). [Covers Java API for XML Registries (JAXR), which 'provides a uniform and standard Java API for accessing different kinds of XML Registries; an XML registry is an enabling infrastructure for building, deploying, and discovering Web services.'] "The Java XML (JAX) Pack provides the core set of APIs that facilitate the building of Web services in Java. The JAX Pack is a set of Java APIs that includes the Java APIs for XML Processing (JAXP) and Messaging (JAXM), the Java API for XML-based RPC (JAX-RPC), SOAP with Attachments API for Java (SAAJ) and Java API for XML Registries (JAXR), which was released with the final version of the pack in June. JAXR provides a uniform and standard Java API for accessing XML registries. JAXR is also included in Sun's Web Services Developer Pack version 1.0, which provides tools for Java developers to build, test, and deploy Web services. Although the API itself is quite simple, JAXR represents a critical component for enabling Java Web services. Let's see why... JAXR provides a layer of abstraction to developers and gives them the ability to write applications with a simple and standard API in Java to interact with a varied set of business registries (at present UDDI and ebXML). However, this should not be implicitly construed to mean that JAXR is a new registry specification or is a lowest-common-denominator API. The JAXR architecture is based on the concept of pluggable providers. Developers write applications using a standard JAXR client API and a standard JAXR information model (or domain object model). The JAXR pluggable provider then maps the information model and invocations to the underlying registry's capability and delegates work under the hood to the registry-specific provider, which knows how to interact with that specific registry. Because JAXR's information model provides a superset of existing registry models, not all registries support each individual JAXR feature. To group these features logically, each individual method in the JAXR API is assigned a capability level, and providers declare what capability level they support. In practical terms, the JAXR information model is based on the ebXML information model. This makes sense because the ebXML version 2.0 information model is functionally larger than the UDDI version 2.0 information model. JAXR has two capability levels: level 0 and level 1. A capability level 0 from a provider implies support for a UDDI registry, and a level 1 implies support for an ebXML and UDDI registry (support for a higher level by a provider also implies support for a lower level). All JAXR providers are required to support level 0 (and hence UDDI), and support for level 1 is optional. In short, a JAXR client for a standard registry (such as UDDI) is guaranteed to be portable across other providers of that registry..."

  • [August 26, 2002] "Get to the Top with 10 Wireless Technologies." By Jeff Jurvis (Compaq Global Services). In Java Pro Magazine Volume 6, Number 10 (October 2002). ['Java enables sophisticated wireless applications that can help developers penetrate the enterprise.'] "Java has always been the perfect platform for mobile and wireless applications, but the enabling technologies have made it difficult to deliver those applications. Devices had insufficient processing power, and networks were slow and unreliable. Only now are devices and networks coming up to speed to support the kind of applications we want to run over wireless. Java's emphasis on security and efficient use of network resources makes it ideal for building enterprise applications on small but powerful devices such as smartphones and handhelds. Here are 10 key wireless technologies that do enable sophisticated wireless applications today and why they are important to Java developers." The article covers: Wireless Application Protocol (WAP), Mobile Markup Languages [WML, Compact HTML (cHTML), XHTML Basic and the XHTML Mobile Profile], Multimodal Markup Languages, Short Messaging Service (SMS), SyncML, 802.11b Wireless LANs, Next Generation Wireless Phone Networks, Wireless Security, Java APIs for Bluetooth Wireless Technologies, and JavaPhone API.

  • [August 26, 2002] "Practicing Safer SAX. [Column: Javatecture.]" By James W. Cooper. In Java Pro Magazine Volume 6, Number 10 (October 2002). ['See how easy it is to write your own XML-parsing system using Java 1.4, which includes all of the common methods for parsing XML documents, including both a SAX and a DOM parser.'] "All of the common methods for parsing XML documents, including both a Simple API for XML (SAX) and a document object model (DOM) parser, are built into Java 1.4, and this prompted me to rewrite some code I have lying around to use these classes. Let's suppose we have a passel of documents on which we want to do some computations. Now, these documents could just be separate files, but if they are short documents, perhaps document abstracts, you will get better performance if you put all of them in one big file. Now, what sort of document analysis might we be doing where we would scan through a bunch of abstracts? Depending on your computational bent, you might try to analyze each document for readability, for occurrence of specific domain terms, or sentence complexity. In this example, we'll just count the number of words in each document..."

  • [August 26, 2002] "Microsoft Readies Specifications Compliance Kit for Web Services." By Paul Krill. In InfoWorld (August 26, 2002). "The Microsoft Web Services Development Kit (WSDK), to be available in a beta version Monday [2002-08-26], will function with the company's Visual Studio .Net development platform. The free download will provide support for three Microsoft-driven specifications that the company wants adopted as industry standards: WS-Security, WS-Attachments, and WS-Routing... A final kit is to be available in approximately two months, followed by periodic updates as new industry standards and specifications emerge, according to Steven VanRoekel, Microsoft director of Web services marketing. But don't look for standards efforts from rival Sun Microsystems, such as the Web Services Choreography Interface (WSCI) submitted to the World Wide Web Consortium (W3C), to be supported in the kit, VanRoekel said... WS-Security is intended to enable secure passing of SOAP messages. WS-Routing supports routing of messages through intermediaries, such as passing an order for a part directly to a vendor. WS-Attachments enables binary attachments, such as a picture, to be attached to a SOAP message... WS-Security has been submitted to OASIS (Organization for the Advancement of Structured Information Standards) while WS-Attachments was sent to the Internet Engineering Task Force (IETF). WS-Routing has not been submitted to a standards body. These three have been included in the kit because they are the most mature of Microsoft's specifications, according to Meyer. Future versions of the kit might add specifications such as: BPEL4WS (business process execution language for Web services), which is intended to ensure that differing business processes can understand each other in a Web services environment; WS-Transaction, for transactional applications; and WS-Coordination, for Web services coordination..." See details in the 2002-08-26 news item "Microsoft Announces Web Services Development Kit Technology Preview."

  • [August 26, 2002] "Microsoft Previews Web Services Kit." By Darryl K. Taft. In eWEEK (August 26, 2002). "Though working in lock step with partners on every other important Web services standard, Microsoft on Monday took a step on its own to advance Web services capabilities. The company announced the availability of the technical preview for the Microsoft Web Services Development Kit (WSDK), which provides the tools developers need to build advanced Web services applications using the latest Web services specifications, such as WS-Security, WS-Routing and WS-Attachments. The WSDK incorporates Microsoft's recent work with partners such as IBM and VeriSign Inc. and also with customers to develop Web services specifications beyond XML and the Simple Object Application Profile (SOAP), such as WS-Security, that address the core challenges of Web services in a way that is broadly interoperable across heterogeneous systems. In addition, the specifications are designed to be modular so developers using Microsoft's WSDK can incorporate a specific specification functionality, on an as-needed basis, into the different levels of their Web services applications..." See details in the 2002-08-26 news item "Microsoft Announces Web Services Development Kit Technology Preview."

  • [August 26, 2002] "XMLTK: An XML Toolkit for Scalable XML Stream Processing." Draft version 2002-07. 13 pages. By Iliana Avila-Campillo (Institute for Systems Biology), Todd Green (Xyleme), Ashish Gupta (University of Washington), Makoto Onizuka (NTT Cyber Space Laboratories, NTT Corporation ), Demian Raven (University of Washington) and Dan Suciu (University of Washington). Paper prepared for presentation at the PLAN-X Workshop on Programming Language Technologies for XML, October 3, 2002, Pittsburgh, PA, USA. "We describe a toolkit for highly scalable XML data processing, consisting of two components. The first is a collection of stand-alone XML tools, s.a. sorting, aggregation, nesting, and unnesting, that can be chained to express more complex restructurings. The second is a highly scalable XPath processor for XML streams that can be used to develop scalable solutions for XML stream applications. In this paper we discuss the tools, and some of the techniques we used to achieve high scalability. The toolkit is freely available as an open-source project. Each of the tool stand-alone XML tools performs one single kind of transformation, but can scale to arbitrarily large XML documents in, essentially, linear time, and using only a moderate amount of main memory. There is a need for such tools in user communities that have traditionally processed data formatted in line-oriented text files, such as network traffic logs, web server logs, telephone call records, and biological data. Today, many of these applications are done by combinations of Unix commands, such as grep, sed, sort, and awk. All these data formats can and should be translated into XML, but then all the line-oriented Unix commands become useless. Our goal is to provide tools that can process the data after it has been migrated to XML. Our second goal is to study highly efficient XML stream processing techniques. The problem in XML stream processing is the following: we are given a large number of boolean XPath expressions and a continuous stream of XML documents and have to decide, for each document, which of the XPath expressions it satisfies. In stream applications like publish/subscribe or XML packet routing this evaluation needs to be done at a speed comparable with the network throughput, and scale to large numbers of XPath expressions... We report here one novel technique for stream XML processing called Stream IndeX, SIX, and describe its usage in conjunction with the stand-alone tools. A SIX for an XML file (or XML stream) consists of a sequence of byte offsets in the XML file that can be used by the XPath processor to skip unneeded portions. When used in applications like XML packet routing, the SIX needs to be computed only once for each packet, which can be done when the XML packet is first generated, then routed together with the packet... The work closest to our toolkit is LT XML. It defines a C-based API for processing XML files, and builds a large number of tools using this API. Their emphasis is on completeness, rather than scalability: there is a rich set of tools for searching and transforming XML files, including a small query processor..." See other references in the news item "Stream Index 'SIX' Used in XML Stream Processing Toolkit." Source: Postscript. Also in the PLAN-X Proceedings.

  • [August 26, 2002] "Registering and Discovering RSS Feeds in UDDI." By Karsten Januszewski (Microsoft Corporation). Microsoft White paper at GotDotNet. "The use of Universal, Description, Discovery and Integration (UDDI) to catalog and discover Rich Site Summary (RSS) news feeds is a logical application of UDDI in its mission of description and discovery of Web services. RSS is one of the most frequently used applications of XML on the Web today. It provides a standard way for organizations and individuals to distribute news on the Internet. One question that arises with RSS is the ability to discover the location of different RSS Feeds. The question of discovery and aggregation of RSS Feeds has the following requirements: (1) Programmatically publish an RSS Feed; (2) Associate metadata (classification, geography, ownership, etc.) with that RSS Feed in an extensible manner; (3) Query for RSS Feeds based on a number of parameters; (4) Perform requirements 1, 2, and 3 in an interoperable, programming language independent way. It is in meeting these requirements that UDDI serves as a solution. UDDI provides a mechanism to register RSS Feeds in a UDDI registry. UDDI has a flexible classification system that can be employed to attribute those feeds with a range of different metadata in an extensible way. Once RSS Feeds are registered in UDDI, users can query for those feeds deterministically across different metadata. Client RSS readers can query UDDI and aggregate different RSS Feeds based on classification information. And, lastly, UDDI is an interoperable, programming language independent service with a comprehensive XML SOAP API for both publication and inquiry." From the announcement: "... a white paper and code sample on registering RSS. Feeds in UDDI has been published. The paper walks through publishing and discovering RSS Feeds in UDDI, including a mapping between the two data models, the creation of well-known RSS tModels, and recommendations on classification. The code sample provides a sample .NET publication/aggregation tool based on the practice in the paper. An installable .msi file is provided, as is the source code for the C# WinForm. The application is meant only as a sample and is not optimized for usage. (There is no caching of feeds, for example, in the sample application.) Incidentally, a feed one might discover in UDDI according to the practice outlined in the paper is a web log I am maintaining on UDDI -- for the location of the feed, query UDDI based on the paper... The most difficult part of this exercise was modeling RSS version in UDDI. The paper opts for a particular solution; feedback and comments on the solution are welcomed..." See: (1) "RDF Site Summary (RSS)"; (2) "Universal Description, Discovery, and Integration (UDDI)."

  • [August 26, 2002] "WS-I Sorts Out Web Services Specs." By Darryl K. Taft. In eWEEK (August 26, 2002). "With the number of Web services standards becoming an alphabet soup, enterprises are looking for assurance that the myriad specifications are interoperable. The Web Services Interoperability organization, or WS-I, is taking steps to help. The WS-I recently finished an internal version of its first set of guidelines -- or profiles -- called WSBasic, designed to assist enterprises in developing and running Web services. The beta version is scheduled for release in November, with general availability expected by the end of the year. The group, formed in February by Microsoft Corp., IBM, BEA Systems Inc., Intel Corp. and others, also wants to play a broker role for the various competing standards bodies, in particular the World Wide Web Consortium (W3C) and the Organization for the Advancement of Structured Information Standards (OASIS)... Another key to standards interoperability is cooperation among the major standards groups. At the XML Web Services One Conference in Boston this week, the W3C and OASIS will discuss security standards for Web services. WS-I representatives said their group's profiles will give the standards bodies a middle ground to work around. The WS-I profiles are Web services specifications at specific version levels that include outlines about how they work together, according to Rob Cheng, a WS-I co-chairman and senior IPlatform product analyst at Oracle Corp., in Redwood Shores, Calif. WSBasic includes the core Web services specifications: XML Schema 1.0, SOAP (Simple Object Access Protocol) 1.1, WSDL (Web Services Description Language) 1.1 and UDDI (Universal Description, Discovery and Integration) 2.0... Available with the alpha version of WSBasic are sample applications used to demonstrate Web services interoperating on various platforms -- including Windows, Solaris and Linux -- and tools to analyze and test interoperability, said John Kiger, director of Web services technologies at BEA, in San Jose, Calif., and a WS-I board member. Sample applications and testing tools will be beefed up as profiles evolve. WSBasic will be the building block for profiles that will include other standards, such as WS-Transaction and WS-Security, Cheng said. Additional profiles will address issues such as message extensibility, routing, correlation, guaranteed message exchange, signatures, encryption, transactions, process flow and inspection. The development of additional or updated WS-I profiles depends on the continued maturity of Web services specifications, Cheng said. WS-I representatives said they expect that vertical industries will build on the WS-I profiles by adding industry-specific standards to them..." See: "Web Services Interoperability Organization (WS-I)."

  • [August 26, 2002] "Startup Eyes XML Management, Monitoring." By Tom Sullivan. In InfoWorld (August 25, 2002). "A Portsmouth, N.H.-based startup is looking to carve a place for itself among the growing swirls of XML within organizations. Swingtide on Monday announced itself to the IT industry, with plans to detail forthcoming products in the fourth quarter of this year. Although the company declined to detail those products, CEO David Sweet said that the focus in on XML and XML-based services. The very name connotes its founders' belief that a shift is taking place in which the proverbial programming tide is flowing decidedly away from traditional applications straight toward XML-based services. 'The fundamental purpose for which we founded Swingtide is to manage and monitor the growth of XML within the enterprise,' Sweet said. 'We are seeing a proliferation of XML.' But not everyone sees XML exploding right how. 'To say XML is growing like crazy, that's a bit of a rosy picture. There' not as much proliferation of XML content as we might have expected there to be a year ago,' said Tyler McDaniel, an analyst with consultancy Hurwitz Group, based in Framingham, Mass. 'A big reason for that is because companies have retrenched to make the most out of what they already have.'... Swingtide is also addressing what Sweet called QoB, or Quality of Business. Whereas QoS (Quality of Service) concerns itself with the physical network management, such as speed and performance, availability, and ROI, QoB examines the aspects of 'logical' network management, such as the customer experience, XML service traction and related revenue growth, and what Sweet called Return on Assets. A big part of QoB is to make sure that XML from various applications and sources is interoperable, much the way companies do with applications themselves... Swingtide's founders are no strangers to XML and the world of Web services. CEO Sweet, in fact, previously started two other companies with co-founder and chairman Jack Serfass -- Web services company Bowstreet, and Preferred Systems, which was sold to Computer Associates. The final piece of the co-founder triptych is David Wroe, who brings more than thirty years experience in the financial services and insurance industries. In roles prior to Swingtide, Wroe served as CTO of commercial insurer CNA, and CEO of Agency Management Services..."

  • [August 26, 2002] "The Query Language TQL." By Giovanni Conforti, Giorgio Ghelli, Antonio Albano, Dario Colazzo, Paolo Manghi, and Carlo Sartiani (Dipartimento di Informatica, Università di Pisa, Pisa, Italy). From among the papers accepted for the Fifth International Workshop on the Web and Databases (WebDB 2002), Madison, Wisconsin - June 6-7, 2002. "This work presents the query language TQL, a query language for semistructured data, that can be used to query XML files. TQL substitutes the standard path-based pattern-matching mechanism with a logic-based mechanism, where the programmer specifies the properties of the pieces of data she is trying to extract. As a result, TQL queries are more 'declarative', or less 'operational', than queries in comparable languages. This feature makes some queries easier to express, and should allow the adoption of better optimization techniques. Through a set of examples, we show that the range of queries that can be declaratively expressed in TQL is quite wide. The implementation of TQL binding mechanism requires the adoption of non-standard techniques, and some of its aspects are still open. In this paper we implicitly report about the current status of the implementation by writing all queries using the version of TQL that has been implemented... Although the language TQL originates from the study of a logic for mobile ambients, for the simplest queries it turns out to be quite similar, in practice, to other XML query languages. However, the expression of queries which involve recursion, negation, or universal quantification, has in TQL a clear declarative nature, while other languages are forced to adopt a more operational approach. All queries presented in this paper are executable in the prototype version of the TQL evaluator, and can be found in the file demo.tql in the standard distribution. The current version of the prototype works by loading all data in main memory, but is already based on a translation into an intermediate TQL Algebra, with logical optimizations carried on both at the source and at the algebraic level. The intermediate algebra works on infinite tables of forests, represented in a finite way, and supports such operations as complement, to deal with negation, coprojection, to deal with universal quantification, several kinds of iterators, to implement the | operator, and a recursion operator. TQL is currently based on a unordered nested multisets data model. The extension of TQL's data model with ordering is an important open issue." TQL can be freely downloaded. See "XML and Query Languages." [cache]

  • [August 26, 2002] "User Agent Accessibility Guidelines 1.0." W3C Working Draft 21-August-2002. Edited by Ian Jacobs (W3C), Jon Gunderson (University of Illinois at Urbana-Champaign), Eric Hansen (Educational Testing Service). Version URL: http://www.w3.org/TR/2002/WD-UAAG10-20020821/. Latest version URL: http://www.w3.org/TR/UAAG10/. Previous version URL: http://www.w3.org/TR/2001/CR-UAAG10-20010912/. List of changes. "This document provides guidelines for designing user agents that lower barriers to Web accessibility for people with disabilities (visual, hearing, physical, cognitive, and neurological). User agents include HTML browsers and other types of software that retrieve and render Web content. A user agent that conforms to these guidelines will promote accessibility through its own user interface and through other internal facilities, including its ability to communicate with other technologies (especially assistive technologies). Furthermore, all users, not just users with disabilities, are expected to find conforming user agents to be more usable. In addition to helping developers of HTML browsers, media players, etc., this document will also benefit developers of assistive technologies because it explains what types of information and control an assistive technology may expect from a conforming user agent. Technologies not addressed directly by this document (e.g., technologies for braille rendering) will be essential to ensuring Web access for some users with disabilities."

  • [August 26, 2002] "The Distributive ebXML Grid." By David Lyon (GTD Technologies Pty Limited). Document posted to 'regrep@lists.oasis-open.org'. August 22, 2002. Slides from a Sydney meeting of August 20, 2002. "... why do we need an ebXML Grid? The Grid promises an easier way to do business transactions: The Web is often too slow for business; Web Servers are generally limited by the speed of users clicking from within their Browser; There is excess capacity on the Internet; Not enough business transactions go across the Internet; The Grid has a better business model... The Distributive ebXML Grid is a coop with a better business model than the current web: [1] The business model of the web is basically that software developers will build a website for a price. Transactions are low in cost but startup is quite expensive. In practice, few systems can interoperate and there is no financial incentive for interoperability to occur. [2] The business model of the Distributive ebXML Grid is transaction/subscription based with a percentage paid back to Integrators. The effective cost is lower for all concerned... The 'distributive ebXML Grid' is a 'circuit' or Grid of business computers networked using the Internet (the Grid works on permanently open TCP/IP connections; it can use transactions based on the international UBL standard from ebXML as well as EDI; it has a sustainable business model). Transactions get 'dropped' on the grid and find their way to trading partners systems. The Grid uses 256 bit security and X.509 Certs and pushes TCP/IP networking to it's limits..." From the ebXML-DEV posting: "the ebXML Grid concept, loosely based on existing ebXML work such as BPSS, UDDI, Core Components, Message Handling services and also a significant influence from X.500/LDAP...The idea behind the concept was to build a Distributive computer grid or circuit based on/for ebXML to take advantage of dialup, broadband and wireless connections for the ever increasing capabilities of the modern PC. The vision for the project is to one day interconnect tens of thousands of business computers on an ebXML grid. On demonstration will be some 256-bit, 2048-bit and 8192-bit encryption/decryption software for those who are security conscious..." In a note to the OASIS ebXML Registry list, David RR Webber compares the Grid to ArapXML Consortium work led by Todd Boyles. See: "Electronic Business XML Initiative (ebXML)."

  • [August 26, 2002] "Cryptographically Enforced Conditional Access for XML." Paper presented at the Fifth International Workshop on the Web and Databases (WebDB 2002), Madison, Wisconsin - June 6-7, 2002. By Gerome Miklau and Dan Suciu (University of Washington). [Note: several accepted papers from the workshop cover XML.] "Access control for databases is typically enforced by a trusted server responsible for permitting or denying users access to the database. This server-based protection model is increasingly becoming inconvenient for web based applications. We propose encryption techniques that allow XML documents to be distributed over the web to clients for local processing while maintaining certain access controls. In particular, we focus on conditional access controls, where a user is granted access to certain data elements conditioned on the user's existing knowledge of another part of the data. We believe such access controls are important in practice, and that enforcing them cryptographically on remote instances allows for more efficient data dissemination and processing... An access control model is used to permi