Google Site Search


Monday, March 31, 2008

Oasis XACML Interoperability Event at RSA Conference is not a dolly

I am appalled that my good e-friend, James McGovern has jumped the gun and come to an incorrect conclusion that the Oasis XACML Interoperability event at the RSA Conference in April 2008, is just a dolly. You can see James's post here.

Craig Forster, another buddy of mine from IBM, has kind of corrected James here.

In a nutshell, I can say that this interop is heavily focused toward the health care industry and the Department of Veteran Affairs (VA) is taking the lead in driving this interop (of course with our buddy, David Staggs who is pioneering multiple standards in the health care sector). Let the participants including me finish the interop and then we will rave all about it. I may blog about the interop this week. So if you are interested, stay tuned.

Hey, James, why do BPM and ECM with XACML? Are there no other boring topics? ;) Take a look at the health care use cases. They are complex and affect each one of us (because we use health care).

Friday, March 21, 2008

Transparent eGovernance

In 2007, I was fortunate to attend the W3C Workshop in e-governance in Washington DC. It was interesting to hear about the Governmental agencies in the US and UK trying to embrace the web as a means of transparent governance. I remember someone from the Library of Congress mentioning that 12 agencies in the US had presence in Second Life. That was interesting. I was there on a panel to preach eGovernment security and the usage of consolidated portals.

The reason for bringing up this old event is I came across this positive approach taken by the leadership of DHS in the US to embrace the blogosphere. The online web journal of the leadership of the US Department of Homeland Security, including entries from Secretary Michael Chertoff is here. I congratulate the leadership of DHS for embracing online journals as a means of transparency with day to day activities of governance.

I remember at the W3C workshop, I had broached the topic of blogs with a public policy official from the UK (the official had mentioned the use of wikis) and she had opined that blogs were a tough sell with the government mainly due to dangers associated with disclosure of sensitive information and legalities involved.

The W3C eGovernment page is located here.

Wednesday, March 19, 2008

Red Hat open sources Certificate System

Source Code for Red Hat Certificate System Released

This means a lot to many folks, such as Arshad Noor, Chair, Oasis EKMI who talks about it here.

The FreeIPA initiative has a been a positive step for centralized Identity, Policy and Audit requirements in a Linux based environment.

If you are going to be present at the RSA Conference in April 2008, do stop by the Red Hat booth to hear about IPA, Open Sourced CS etc. I will be present at the Oasis XACML Interop booths (132-136) leading JBoss/RedHat. See you at the RSA Conference.

By the way, let me point out certain things about Red Hat CS.

Based on Red Hat Certificate System
Red Hat Certificate System handles all major functions of the certificate life cycle, and simplifies enterprise-wide deployment and adoption of a robust security architecture.

Ken Milberg takes a tour of RHCS.

Incorporate this certificate server into your projects.

Additional marketing statement:
A complete public key infrastructure solution, Red Hat Certificate System 7.2 provides a security framework that guarantees the identity of users and ensures the privacy of communications in heterogeneous environments.

Well, the open sourced certificate server is called "Dogtag Certificate System".

Additionally, please read Bob Lord's blog post.

UPDATE: Oasis XACML Interoperability event at the RSA Conference 2008.

OpenSAML v2.0 Java Version has been released by Internet2

The following email from Chad says it all. Open SAML v2.0 Java Version has been released.

rom Chad La Joie
date Mon, Mar 17, 2008 at 10:15 AM
subject [OpenSAML] OpenSAML/J 2.0.0 Release Available

So I'm very happy to announce the 2.0.0 release of OpenSAML/J. This
release closes out the remaining bugs from all the previous release



We are working on the following items for future releases:
- Move to Maven build system
- Merge in the XACML code contribution provided by the EGEE Collaboration
- Merge in the WS-Trust code contribution provided by the EGEE Collaboration

And for those that like metrics, Ohloh indicates that OpenSAML 2.0 (Java
and C++ versions) represents about 39 person years of work.

Scott will be releasing the C++ code at a later date.



UPDATE: OpenSAML/J v2.1.0 Released.


Friday, March 7, 2008

Experiences at IDTrust 2008 at NIST

It was a great feeling to actually stand in an auditorium with lights and make a presentation. The occasion was IDTrust2008 workshop. The location was National Institute of Standards and Technology (NIST) at Gaithersburg, Maryland.

Dee Schur from Oasis and I had worked for 4 months to put together the best folks in the Security industry (of course Oasis members) to make a good case for XACML and the interoperability at the RSA Conference 2008. To summarize, the panel was a grand success. :)

The panelists included Hal Lockhart from BEA Systems (Co-chair of XACML and SAML TCs), Tony Nadalin from IBM (Tony is the Chief Security Architect/Distinguished Engineer), Sunil Madhu (Chief Architect, Policy Management BU at Cisco), Andreas (Product Manager from Axiomatics) and of course, your excellency.

You can get hold of the presentations from the program page.

From left to right: Hal Lockhart, Co-Chair, Oasis SAML and XACML TCs; Sunil Madhu, Chief Architect, Policy Management Business Unit, Cisco System; Anil Saldhana, Red Hat; Tony Nadalin, Distinguished Engineer and Chief Security Architect, IBM and Andreas S, Axiomatics.

It certainly was an honor to talk to David Ferraiolo, Researcher at NIST for almost 20 minutes after the panel. Well I did not know exactly who David was (I was guessing it in my mind during my talk with him, since he mentioned that he is researching access control for a long long time. My guess was right). Well, David is one of the guys who invented RBAC in 1992. RBAC has been the foundation of access control in many security systems including Java EE security. So, after Sir Tim Berners-Lee, Kim Cameron, David is the third superstar I have met in the space of 12 months. :)

It was a pleasure to listen to Stephen Wilson's presentation on PKI as well as Arshad Noor rave about EKMI. I also had the pleasure of meeting Dr.Abbie Barbir from Nortel. Abbie is a old horse in the standards space. He is on the Technical Advisory Board (TAB) of Oasis. He co-chairs the TAB with Hal as per Oasis TAB.

Abbie, Hal and Tony certainly have a great sense of humor, which may really kill you. Particularly stay away from Abbie and Tony.

Looking forward to the Oasis XACML Interoperability at RSA Conference 2008.

Monday, March 3, 2008

TheServerSide broaches OSGi

TSS has broached OSGi here.

To start, let me refer you to my buddy, Ales Justin's impressive interview. He clearly outlines JBoss's intentions with OSGi. Well, to the question of why JBoss does not directly use Felix but embark on its own implementation, Ales has answered it quite well.
The current OSGi service registry lacks the features we need - fine grained dependency, AOP integration, legacy JMX support, scoped metadata, open mbeans, Virtual File System (VFS), generic deployers, etc... If we were to take an existing implementation and add these features then it would probably take the same amount of effort, if not more, to put everything together. Also by building our own implementation we ensure that we have the most control over the core piece of our application server, i.e. the kernel.

We could probably use the classloading features of existing OSGi frameworks but it would again mean bending around things to make them work. As we wanted to have a bullet proof implementation, where all the nasty details were hidden away under private/protected modifiers, it was important that we could tightly control access through policies and delegation. From this perspective it made more sense to implement our own classloading layer. It also meant that things like resource lookups could be implemented using our Virtual File System which gives us really nice access to deployments regardless of their location or structure (packaged or unpackaged).

If you want to understand the security associated with bundles in OSGi, do peek at "Protecting code archives with digital signatures"

Let us take a 10,000 foot view of security in OSGi. Policy Files can guard the actions of software bundles. The bundles can be signed similar to Jar files. Additionally, the PermissionAdmin service in OSGi can be used to dynamically administer permissions (looks like a direct relation to the JACC PolicyConfiguration theory).

The key aspect of OSGi that is interesting is the isolation of the bundles, implies I can have multiple versions of the bundles working in the OSGi run time without conflicts.

Where is Li Gong now?

I am not talking about the Chinese Actress, Li Gong. I am referring to the main architect of the Java 2 Security Architecture. I knew that he had left Sun to head Microsoft Security. But somewhere on the web I read that he was the head of the Mozilla Foundation in China.

Here is Li Gong's blog at Mozilla Foundation. Welcome back from the Dark Side of Security.

Sunday, March 2, 2008

Security is way underspecified in Java EE

With all the talk on the profiles in Java EE 6 harping around whether the basic profile should be equivalent to just the tomcat container services or there is a need for an additional profile to incorporate EJB3, JPA and Web Beans, one has to understand that very limited progress has been made at extending security in Java EE 6. Well, JSR-196 is a welcome change. But it mainly deals with the externalization of the authentication aspects. Plus JASPI took years to complete. We have suddenly screeched to a ground halt as far as authorization needs of the modern enterprise is concerned.

Ok, my personal take on the profiles. I vote for the one with web beans. A simple web profile (with just servlets and JSPs plus adornments) is not really fit to be termed Java EE 6. Modern web developers need web frameworks (just not JSPs and Servlets) to do their development. Web Beans with a mix of EJB3.1 and JPA certainly meets the need of these web developers. Now come on, since when developers are doing just JSPs and Servlets? For web development, you need a persistence layer at all times. Since the Java world has converged on JPA, why not include it in the profile? We are talking about the EE space, so naturally your web components (my hands itched to say, beans) will want to talk to some enterprise components aka EJBs. Since you need the feather-lite version of the EJB specification (we are talking about simple profiles, right? Hence the lite version) which will be the EJB 3.1 version. Now for those morons who equated CMP beans to EJBs, you can stick to your EE profile consisting of just servlets and JSPs (with some insignificant step children of course). There is no need to drag sane people to your bandwagon.

Authorization has totally taken a back seat with the cumbersome JACC (JSR-115) as the only specification that is mandated. We have already seen with JBoss Portal that JACC needs to be extended to incorporate portal needs (remember, JACC just deals with web and ejbs). JACC is not totally intuitive to developers/implementers.

There has been new directions with JBoss with initiatives in Instance Based Security (Rules, Portal and jBPM demands), XACML (fine grained authorization) and the Authorization Framework (Pluggable authorization modules). I would love to see some additional work done in this regard in the JCP.

Time to ping Ron Monzillo at Sun. He is the main security spec lead from Sun (JACC, JASPI).

I will be with Hal Lochart(BEA) and Tony Nadalin(IBM) this week at the IDTrust 08. We are on the same panel from Oasis. It will be interesting to brainstorm ideas with them. My presentation at the panel (I will post the link to the presentation after the workshop is over) is about extending Java EE to incorporate the identity and access control needs of the modern enterprise.

What bothers you as a Java EE user?

UPDATE: Do not forget to check out the comments for this post....