Call for Chapters is officially out
The call for chapters for the forthcoming book:
Securing Web Services: Practical usage of Standards and Specifications
is now out. So....fingers crossed!
panos on 12.29.05 @ 02:30 PM gmt [link]
Tuesday, December 27th
Promela - XML - XACML
For some time now I have been looking into ways of automating the process of extracting access control descriptions from contracts expressed in a formal/semi-formal representation. (i.e. almost everything but free text). Promela is such a language and it has been widely used (including people at my Dept) to express formal contracts. I recently found a promela XML translator which makes parsing a lot easier and a lot more fun. I am now in the process of taking some Promela contract examples, translating them into XML, parsing the XML with a service I am creating and using this information to create Access Control Policies in XACML (i can also do Permis, but i wont :-) ) standardise man 
so now in GOLD, assuming we have real contracts expressed in Promela we can do the following.
Verify Contracts expressed in Promela using Spin, extract Access Control Policies from Promela, Express these in XACML, validate these (if needed) using Margrave. I ought to replace this with a diagram.Cool huh? from contract formalisation to workflow enactment automatically!
panos on 12.27.05 @ 10:44 AM gmt [link]
Friday, December 23rd
Christmas Greetings
It is my last working day today before the new year.Only a couple of minor things to sort out, mainly the call for papers for my book which goes out before the 31st of December. So I guess i still have some work to do after all.
Happy holidays everyone, and a happy new year.
panos on 12.23.05 @ 07:51 AM gmt [link]
Thursday, December 22nd
HyperLinks
I thought of updating the blog with a note that this is the first time that all the links of this site work. Still updating the content though.
panos on 12.22.05 @ 02:34 PM gmt [link]
Shibboleth
I had an extensive tutorial with a coleague on Shibboleth since there has been a lot of pressure to make use of it. I found it at its current form inadequate to work with Web Services in any shape of form. The entire framework is targeting web browsers. The specification itself makes this clear.
So the application domain is rather specific, hence components such as the WAUF (where are you from-which is also in the spec) do not have anything to do with middleware and message level security.
In addition Shib is using SSL to secure a message between 2 entities (i.e. computers). This is obviously insufficient for WS usage since messages can traverse past a number of endpoints prior to their final destination that the user intended. SSL only secures a single channel between 2 predetermined endpoints. Therefore the messages that Shib sends are not secure, despite the impression of security the frameworks gives.
The 'authenticated' message that the browser sends, carries user details as a set of attributes. the question i raised was why send the attributes at all in the first place? Since authentication is being carried out remotely and permission is given on a trust basis, why not hide the details of the user all together behind some aplhanumeric string. The real issue here is accountability which implies the existence of a traceable link between the identity of the user when he uses a service and his/hers real identity.
The Security assertions are send as part of the SOAP body whereas they could easily have made use of WS-Security and place them in the header which I thought was the norm. Obviously not yet, but what's the point of having standards if we are not using them? I was not convinced that issues such as privacy, trust, SAML, WS Security have really being understood and put to best use. 
Shib 2.0 promises WS support. For the time being the GOLD mechanism seems superior. Thanks to my coleague Caleb who helpeld me understand it.
panos on 12.22.05 @ 12:16 PM gmt [link]
Thursday, December 15th
ET IN ARCADIA EGO
I returned to Newcastle for the final set of chores I need to do before Christmas. One of those took place yesterday and involved the installation and testing of a web authentication tool.We went through Shibboleth implementation in detail along with a fellow computer scientist. I am currently preparing a tutorial for this which I will post on this blog sometime soon. For the time being I'm attaching some photos from Bastille. I enjoyed my time in Bastille as I always do. Somehow, this time around, I managed to live the entire weekend on crepes au nutelle et banana 
I did put a couple of pounds on. Yesterday i also became a proud owner of a PSP. I bought championship manager with it. I want to get the new Xbox360 too but following the advice of a friend I will wait for the Xbox360 until end of January.
panos on 12.15.05 @ 09:47 AM gmt [link]
Friday, December 9th
Salut de Bastille
I'm spending this weekend in Bastille catching up with Parisian nightlife and doing some Christmas shopping. I also caught up and had a couple of very interesting meetings with my friend and colleague Christos. There is pontential of sparking some collaboration since we identified common areas of interest.
Saw Harry Potter earlier...awful film man....just awful...
panos on 12.09.05 @ 08:52 PM gmt [link]
Thursday, December 8th
Humor
Curtesy of my friend Takis, a bit of humor for thursday morning...most people I know have been there...
panos on 12.08.05 @ 11:34 AM gmt [link]
Wednesday, December 7th
Report on OASIS, PERMIS, XACML, Shiboleth
This is my technical contribution to the Blog. I was due one. The report describes and evaluates 4 open source authentication and authorisation sytems which we have been considering for the GOLD project. I suspect this is the last paper that I will write before Christmas. It also marks the end of a very productive November in which I managed to co-author 2 journal papers, 1 conference submission and a technical report.
I am attaching a link to the report in pdf and a web version. The full reference in case you want it is :
Wu Jake, Periorellis Panos, Evaluation of Authorization-Authentication Tools: PERMIS, OASIS, XACML & SHIBOLETH School of Computing Science, Technical Report Series No.CS-TR-935, University of Newcastle Upon Tyne.
regards
panos on 12.07.05 @ 11:20 AM gmt [link]
Friday, December 2nd
Middleware Paper Ready
After countless hours of work from myself and colleagues the GOLD Middleware paper is finally ready for submission. I will be submitting it on Monday after having read through it a few times over the weekend. It will be submitted to this call which we just made the deadline. If it wasn't for the 4 day extension that Dr. Qusay (one of the editors) gave to all prospective authors I doubt we would have made it. After some pushing and shoving as it is always the case we agreed on structure and content. Let us hope that the reviewers will appreciate the work done on this. Given the restrictions applied by the journal I cannot publish any extracts of the paper until it has been reviewed.
On other news, I signed a contract with the Idea Group for a forthcoming book on web services security, that I have been assigned to edit. I have asked another colleague of mine to contribute and I hope he does. The call for chapters will be out shortly.
I look forward to the weekend.
BTW, apologies for the unimaginative cartoon on this post; It is the logo of the GOLD project. 
panos on 12.02.05 @ 03:22 PM gmt [link]
PHOTOS NOW ON
I have now updated the Morocco and Malaga entries with Photos and Videos. it took a bit of time because i had to cut them down to a decent size. The videos are a bit big, for those you are still are on 56k modems. Scroll down a couple of entries to find them.
I hope you like them
panos
panos on 12.02.05 @ 12:15 PM gmt [link]