XML and Web Services In The News - 27 May 2004

Trust Networks in a Web Services World
Paul Madsen, O'Reilly WebServices.XML.com
Security token services (STS) make trust networks scalable by mediating trust between companies that would otherwise not be able to ascribe trust to another. Rather than maintaining pairwise trust with all potential partners, individual companies instead form a trust relationship with the STS and then rely on the STS to form sufficient other trust relationships such that the necessary indirect trust can be established. Based on the trust that a company places in the STS, it may choose to extend trust to another company in which the STS places its confidence. Trust between entities in many web services transactions is enabled by a separate authority issuing security tokens (e.g., X.509 certificates, SAML assertions, Kerberos tickets, etc.) regarding the identity or other characteristics of the actors involved. Recipients are typically able to ascribe a sufficient level of trust in a security token because they can be confident of its origin, i.e., they know and trust the authority that issued the token and can verify through cryptographic means that the token was issued by that authority. It is through the existing trust they have in the third party security token issuer that they are able to derive indirect trust in the holder of a security token created by that issuer. Although mechanisms currently exist by which the STS can advertise the necessary information to potential relying parties, they are not designed to support the sort of dynamic relationships made possible by web services. Fortunately, work is underway to define new mechanisms to simplify and facilitate connecting with the STS hubs.
See also: XML Security Standards

WWW 2004 Semantic Web Roundup
Paul Ford, XML.com
According to Tim Berners-Lee's WWW2004 keynote address, the Semantic Web is entering "phase II", a time of "less constraint" when Semantic Web developers are encouraged to build upon the foundations of RDF and OWL to create working applications on both the server and the desktop. And while other topics were discussed at WWW2004, such as mixed markup and XForms, this was definitely the Semantic Web's moment in the sun, with academic and corporate presentations alike focusing on the uses of RDF, triple stores, and data sharing. While the Semantic Web applications shown at WWW2004 are not equivalent to large commercial jetliners, several applications seem to be self-propelled, running on more than hot air. But it is also clear that many are still waiting for a "conversion experience" regarding the Semantic Web.
See also: the W3C Semantic Web Activity

BEA Launches New Developer Resources
Elizabeth Montalbano, CRN
BEA Systems Wednesday released a raft of new developer resources at its eWorld 2004 Conference aimed at developers building service-oriented architectures (SOAs). Several of the new offerings from the San Jose, Calif.-based vendor are available on its dev2dev developer portal. BEA also introduced the SOA Technology Center, which offers best practices, guidelines, patterns, white papers, code samples, Webinars, interviews and demos for helping developers build SOAs. In conjunction with The Middleware Company, a consulting and research firm for J2EE and .Net development, BEA also has created a set of blueprints for building SOAs. The blueprints provide real-world implementations of how applications can be deployed in SOAs and demonstrate how developers can use an SOA to solve business issues. BEA also is sponsoring an open-source community to host, promote and collaborate on enhancements around the controls in the offering.
See also: BEA SOA Dev Center

Microsoft to Merge Caller ID with SPF Anti-Spam Scheme
Gregg Keizer, InternetWeek
Microsoft on Tuesday agreed to blend its Caller ID for E-mail anti-spam proposal with another of the leading domain authentication schemes, Sender Policy Framework (SPF). The company reached the agreement with Meng Wong, the author of SPF, to merge the two proposals into one specification that will be presented to the Internet Engineering Task Force (IETF) standards body in June. If adopted, the specification would provide a way to stop domain spoofing, where spammers forge addresses in hopes of disguising their identities or tricking users into divulging personal financial information, the rising trend called "phishing."
See also: the Caller ID Draft

Industry Shows Heightened Interest in Federated Identity-Based Web Services.
XML Cover Pages
Several recent announcements report on growing adoption of identity federation standards and demonstration of interoperability between enterprise-level Web Services identity products. Liberty Alliance released a new document describing applicability of the Identity Web Services Framework (ID-WSF) to Web services. Microsoft announced that six companies participating in a WS-Federation interoperability workshop have completed testing of their products.

Bottom Gear Image