Implementing the ebXML Standardsin Postsecondary Education

Jim Farmer and Justin Tilton

instructional media + magic, inc.

As prepared for (but not delivered at) the

XML Forum of the

Postsecondary Electronics Standards CouncilMonday · February 25, 2002 · Miami, Florida

i n s t r u c t i o n a l m e d i a + m a g i c, i n c.

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Publisher’s Note

• The Architectural Committee focused on the ebXML specifications. The Committee recommended and the Forum adopted the ebXML Business Messaging.

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Federal mandates

• Immigration and Naturalization Service

SEVIS Student and Exchange Visitor Information System, on or after January 1, 2003

• Department of EducationCOD Common Origination and

Disbursements February 2003 (pilot begins March 7, 2002)

• Department of Veterans AffairsVACert Certificates of attendance

sometime 2003

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Federal data exchanges

Business Message

Message Format

Data Transport

Education COD

XML Proprietary Proprietary Encrypted FTP

INS SEVIS XML Proprietary Proprietary Encrypted

Veterans Affairs VACert (planned)

XML ? ?

ebXML XML Application dependent standard

SOAP

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Federal e-Authentication

Aut

hent

icat

ion

Nee

ds

Aut

hent

icat

ion

Nee

ds

None

Strong

Solution SetsSolution Sets

Non

e

One

-Tim

e

Passw

ord

Single Sign On

Bio

met

rics

PKI

Use

r ID

/

Passw

ords

PINS

Pen-b

ased

Signa

ture

Privileged Management

Digital Signature

Click-wrap

StrongWeak

John Sindelar, “Achieving the Vision of E-Government,” Nov 27, 2001

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

JA-SIG Web Services model

HTTPSSOAP Business Message

HTTPSSOAP Business Message

University Agency

ScenarioUser: Student, staff, or facultyAccess Provider: University PortalData Provider: Agency Web Server

SIS

Portal

Web ServerUser App Server

Information Technology Standards

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

ebXML Technical Standards

• Collaboration-Protocol Profile and Agreement - WSDL extended

• Messaging Services – SOAP extended• Reliable messaging

• Message Status Service

• Message Order

• Multi-hop

• Registry – UDDI extended

• Implementation, Interoperability and Conformance

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

ebXML CPPA

Collaboration-Protocol Profile and Agreement

• The Message-exchange capabilities of a Party MAY be described by a Collaboration-Protocol Profile (CPP). The Message-exchange agreement between two Parties MAY be described by a Collaboration-Protocol Agreement (CPA).

Data Representations

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

ebXML naming conventions

• Element names use Upper Camel Case (UCC) convention

• <UpperCamelCaseElement>

• Attributes use Lower Camel Case (LCC)

• <lowerCamelCaseAttribute>

• Class, Interface names use Upper Camel Case

• ClassificationNote, Versionable

• Method names use Lower Camel Case

• getName(), setName()

“OASIS/ebXML Registry Information Model v2.0,” Organization for the Advancement of Structured Information Standards, Dec 18, 2001, p. 8

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Person

ebXML IFX INS SEVIS ED COD

Title 8

First Name 64 40 40 12

Middle Name 64 40

repeating

25 1

Last Name 64 40

repeating

40 35

Suffix 40

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Address

ebXML IFX INS SEVIS ED COD

Address lines 64+32 3 of 64 2 of 60 3 of 40

City 64 32 16 19

County 19

State or Province

64 32 34 2

Postal code 64 11 9 5-13

Country 64 3 2 3

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Other addresses

ebXML IFX INS SEVIS ED COD

e-mail 64 128

Telephone 4+4+8+16 (32)

1+31 (32)

3+7+5

(US only)

10-17

(US only)

URL 256 1024

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Person identifiers

• U.S. Department of Education COD

Social Security Number + Date of Birth + Last Name

• U.S. Immigration and Naturalization Service SEVIS

First Name + Middle Initial + Last Name + Date of Birth (MMDDYYYY)

• U.S. Department of Veteran Affairs

[Documentation not published]

• ebXML

Universal Unique Identifier (UUID) 64 characters

“DCE 128 bit universally unique ids used for referencing another object.”

• IFX

• UUID - 32 characters with four dashes

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Date formats

• W3C YYYY-MM-DD(dashes included)

• ISO 8601:2000

• Extended Format YYYY-MM-DD

• Basic Format YYYYMMDD

• U.S. NIST FIPS 4-2

• References ANSI X 3.30-1997YYYY-MM-DD

Note: INS SEVIS uses MMDDYYYY

SecurityAuthentication and

Authorization

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

ebXML security

Persistent digital signature W3C XMLDSIG

Persistent signed receipt W3C XMLDSIG

Non-persistent IETF TSL or IPSEC

[one direction or bi-directional]

Persistent confidentiality W3C/IETFC XML Encryption

Non-persistent confidentiality IETF TLS or IPSEC

Persistent authorization OASIS SAML

Non-persistent authorization IETF TLS or IPSEC

Trusted Timestamp not yet standardized

[ebXML] “Message Service Specification,” version 2.0, OASIS, Jan 11, 2002

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Security for Federal Data Exchanges

Encryption Institution Person

Education Netscape SSL

Logon/Password

Logon/Password

INS Netscape SSL

Digital certificate

Logon/Password or Digital Certificate?

Veterans Affairs

? Logon/Password

Logon/Password

ebXML IETF TLS Digital certificate

Personal Digital Certificate

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Can a college be trusted?

The federal government can “trust” a college or university because:• The college is already regulated by

federal law and regulations, and precedent.

• By analogy to current paper processes—a long history of “trust.”

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

SAML authentication assertions

• Anonymous Role, organizational affiliation

• Student identified Role, organizational affiliation, name, identification number (SSN), date or birth

• Student identified Account number + pin.[IFX application level] Card content

OR Personal digital certificate

• Staff identified Role, name, local identifier and identifier type, organization and optional sub-organizations

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

References

• “OASIS/ebXML Registry Information Model v2.0,” Organization for the Advancement of Structured Information Systems (OASIS), Dec 18, 2001

• “OASIS/ebXML Registry Servics Specification v2.0,” OASIS, Dec 6, 2001.

• “Message Service Specification Version 2.0,” OASIS, Jan 11, 2002.

• “Business Message Specification V1.2.0a, Interactive Financial Exchange, Dec. 31, 2001.

• “Data elements and interchange formats -- Information interchange -- Representation of dates and times,” ISO 8601:2000, ed. 2, International Organization for Standardization, Dec. 21, 2000.

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

References

• “Interface Control Document for the Student and Exchange Visitor Information System,” Immigration and Naturalization Service, Nov. 21, 2001.

• “Technical Reference for Common Record Transmitters to Common Origination and Disbursement 2002-2003,” Version 3.1, U.S. Department of Education, Nov. 2001.

• “Common Record XML Schema Definition File,”for the Common Record], Version 1.0, U.S. Department of Education, Aug. 20, 2001, file named CommonRecord1pt0.xsd.

The end

www.immagic.com

inst

ruct

ional m

ed

ia +

magic

inst

ruct

ional m

ed

ia +

magic

Web self-service

• Web self-service $ .06

• E-mail $6.00

• Telephone call $12.00

Forrester Research as quoted by Bonnie Azar Power in “Taking self-service out of the dark into Broad Daylight,” Red Herring, No. 110, Feb

2001, pp. 36-37