Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oasis Gives SAML 1.0 a Thumbs-Up

Posted by ryuzaki0 on from the new-internet-order dept.

Anonymous Custard writes "Oasis has approved the SAML 1.0 specification. From Infoworld: 'Members of the Oasis interoperability consortium approved the Security Assertion Markup Language (SAML) on Wednesday as an OASIS open standard. The move paves the way for the XML-based framework to enable secure SSO (single sign-on) and other security functions for Web services transactions spanning multiple hosted sites.' I feel more secure already!"

51 of 134 comments (clear)

  1. Passport competition? by Alethes · · Score: 5, Interesting

    Is this an open standard that will compete with Passport, or is it something that Passport will have interoperablity with? Are they even related?

    1. Re:Passport competition? by Erik+Hollensbe · · Score: 2

      It depends on how popular it gets. Microsoft is only known for playing along when it's to their advantage.

      At least for me, I'm going to be one of those people that has a different account for each one of these passport-ish things, per site.

      I'm not about to give the keys to my car to all the auto shops in the town that I live and only put the battery in when I want to use it.

    2. Re:Passport competition? by overlord2 · · Score: 3, Informative
      The thing that could be a possible Passport competitor is called Shibboleth:


      It is built on SAML. Read the deployment docs to get an overview (some of it's dated though).

      We've started testing the alpha where I work, it's coming along. The stuff you'll be able to do with Shib is amazing.

      --
      -- "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -A.Einstein
    3. Re:Passport competition? by finkployd · · Score: 3, Informative


      Liberty Alliance is more of a competitor to Passport than Shibboleth (although the two seem to be VERY similar). My understand about Shibboleth is that it is primarily for Higher Ed, not really geared toward business (thus its dependance on the EduPerson schema)

      I've been working with Scott and Co to get the upcoming Beta release up to par. We have been running the Alpha 2.5 code in production for a class at PSU for a few months now. If you need any help or want to compare notes feel free to email me (mxe20@psu.edu).

      Finkployd (mark earnest)

    4. Re:Passport competition? by IamTheRealMike · · Score: 3, Insightful
      In short, no.

      Passport is a centralized web based SSO system.

      SAML is a protocol/framework for exchanging security assertions. It's not possible to build Passport out of pure SAML, for one SAML lacks a single signout protocol which kind of makes the whole thing rather useless. The Liberty Alliance (who will be releasing 1.1 soon) extend SAML to bring it up to speed.

      We can basically forget about Passport interop for now. I did look into it a few weeks ago for the Identity system I'm working on, but unless Microsoft radically change things (and indications are they won't) anything more advanced than automatic logins would require their approval, you'd probably just get denied access to the network.

  2. Bah. by UndercoverBrotha · · Score: 2, Insightful

    XML is slowly but surely turning into the huge beast from where it came, SGML, I thought the point of XML was simplicity...forget the open standards of data exchange everyone is talking about, the bickering of the major players will never allow XML, or any specifications dervied from it to become the "one" format for efficient data exchange

    MSXML
    SunXML
    IBMXML

    ..get used to it, and more articles like this.

    --
    Solid!
    1. Re:Bah. by Anonymous Coward · · Score: 2, Insightful

      And Xerces...

      Those are just libraries for creating/parsing XML documents. The output of ALL of them is 100% compliant XML. The programming interfaces are not specced at all and are of course 100% different in all implementations.

      I don't think you GROK what XML is exactly to have made that statement.

    2. Re:Bah. by smallpaul · · Score: 5, Informative

      SAML is not part of XML and in no way complicates XML. SAML is a specification built on XML. But to say that SAML complicates XML would be like saying that Mozilla complicates glib.

    3. Re:Bah. by Erik+Hollensbe · · Score: 2

      Personally, I'm just getting sick of using XML where smaller, leaner protocols would do a lot better.

      Seriouly, Has anyone heard of lex and yacc these days?

      (as my colleagues would note, I'm guilty of throwing XML at things that really don't need it too.)

    4. Re:Bah. by tswinzig · · Score: 2

      I thought the point of XML was simplicity

      The point of XML was to allow subset languages to be created for the efficient exchange and storage of data, in a logical (human-readable) format.

      SAML is defined using XML. It changes nothing in XML. How exactly does this bring XML any closer to becoming SGML?

      That your uninformed post got +4 amazes me, truly.

      --

      "And like that ... he's gone."
    5. Re:Bah. by Zeinfeld · · Score: 3, Informative
      Seriouly, Has anyone heard of lex and yacc these days?

      Yes, of course I have. But I do not believe that LR(1) grammars as constructed by yacc have any place in a computer language. Chmosky's syntax theories are designed to model human languages. A computer language that requires the power of a full LR(1) parser is almost certainly more complex than it needs to be.

      lex involves processing that is only slightly simpler than yacc. Again regular expressions are great theory but using the unconstrained power of lex tends to result in specifications that are much more complex to parse than they need to be.

      lex and yacc are tools for building compilers. A (non validating) xml parser can be constructed by hand without much difficulty.

      Incidentally SAML does not use DTDs. In my view DTDs are an obsolete anacronism. SAML is specified using XML Schema which supports a full object oriented data model. XML Schema is unfortunately something of a beast, an XML Schema actually defines two type systems, not just one. An XML element definition defines a type of an element instance. An XML type definition actually specifies the type of a type.

      Even so it is much simpler to use XML to define the data structures and then use automated toold to generate the serialization and parsing code than it is to use yacc, unless of course you start building data models arround yacc - definitively not recommended, been there, done that.

      So don't jump to the conclusion that just because we did not choose to use a familliar tool we don't know what we are doing. I have written specifications based on LR(1) grammars, I have no intention of repeating the experience.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
    6. Re:Bah. by Citizen+of+Earth · · Score: 2

      XML, or any specifications dervied from it to become the "one" format for efficient data exchange

      XML as it is now will never be efficient at anything. To be efficient, the XML structure would need to be represented in binary. (And there would be no loss of interoperability.) And any numeric arrays need to be represented raw.

    7. Re:Bah. by TummyX · · Score: 2, Insightful


      point is that XML is *completely and utterly useless* without complex and byzantine frameworks such as SAML and SOAP

      Uh!

      And Java (the language) is completely and utterly useless without the java class libraries. This must mean that Java is a useless language. The fact that it can be used as a standard way to build other technologies on top of is besides the point...

    8. Re:Bah. by Twylite · · Score: 2

      In BNF notation Java has 54 productions, C++ has 88, and XML has 89. Where Java and C++ only support a single character encoding according to their standards, XML requires support for at least 2, one of which must be supported in both endian encodings. Where LR(1) grammars define at design time the significance of whitespace, XML must parse a DTD at runtime to determine when whitespace is or is not significant. In XML arbitrary characters or data can be represented in at least two ways other than a raw character, and XML has built into it a substitution language - so its fair to compare its complexity to C++ and CPP.

      XML is a complex and difficult to implement standard (as evidenced by the very few completed, compliant parsers that are available).

      --
      i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
    9. Re:Bah. by Twylite · · Score: 2

      Plus 85 other rules. Yes, really - check the specification. There mere fact that it has attributes AND every tag can contain tags gives you two orthogonal and redundant data models. There are two character encodings, three character/data representations, four syntactically distinct data models ... and only about four parsers that can claim to be compliant or close to compliant with the specification. Yes, complex.

      --
      i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
    10. Re:Bah. by Twylite · · Score: 2

      On the surface XML looks very simple. Balanced parenthesis expressions, as you say. Just under the surface it doubles its complexity: attributes are functionality equivalent to sub-expressions which have the limitation that they themselves can't have sub-expressions. This gives you two equivalent ways to represent information, which complicates the data model. It also makes it slightly more difficult to parse.

      But when you get to the actual syntax, all hell breaks loose. A parser must understand UTF-8 and UTF-16 encoding (the latter in big endian or little endian format).

      A parser must also parse not only the simple embedded parenthesis we know as XML, but also a DTD. Even if it cannot validate, it must parse the DTD in order to get past it and parse the rest of the document, in order to substitute entities, and in order to handle whitespace correctly.

      Beyond the DTD and "basic XML syntax", it must handle special cases for comments, CDATA sections and processing instructions. All of these are effectively subgrammars - once you enter the section it has its own completely different rules for how its content is (or is not) parsed.

      The parser must also detect and substitute entities, as specified in the DTD. The DTD also determines where whitespace is and is not significant, and therefore whether the parser must or should ignore whitespace, or must report it to the application (which is using the parser).

      XML looks simple, and simple non-compliant XML parsers that parse simple XML are easy to write and in abundance. But XML, complete, is complex and tricky.

      --
      i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
    11. Re:Bah. by Axe · · Score: 2
      But when you get to the actual syntax, all hell breaks loose. A parser must understand UTF-8 and UTF-16 encoding (the latter in big endian or little endian format).

      Apparently, you do not give a flying fuck about people who do not use American English and ASCII encoding.
      Well, the majority of world population does care about these issues and uses different character sets. If it means a bit more trouble for american programmers - I would say, fuck them lazy fucks.

      Of course - if you ever had to fit in internationalization support into your wondercode, starting on yacc and proceeding into char* haven, then you frigging deserve it.

      I would rather have the toolkit writer have a few grey hairs..

      --
      <^>_<(ô ô)>_<^>
    12. Re:Bah. by Axe · · Score: 2
      Plus 85 other rules. Yes, really - check the specification. There mere fact that it has attributes AND every tag can contain tags gives you two orthogonal and redundant data models. There are two character encodings, three character/data representations, four syntactically distinct data models ... and only about four parsers that can claim to be compliant or close to compliant with the specification. Yes, complex.

      Allow me to repeate my objection to your frigging nonsense:
      So what? Toolkit writer worries about this shit. User does not. XML is simple.

      --
      <^>_<(ô ô)>_<^>
    13. Re:Bah. by Twylite · · Score: 2

      Actually, I do. Like most sane people I understand that one unicode character encoding (EITHER UTF-8 OR UTF-16LE OR UTF-16BE OR UTF-32 OR on of the many others) is adequate. UTF-8 gives you a nice advantage of compatibility with the ASCII-7 character set, which means widespread support for text editing.

      --
      i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
  3. Just a thought by cranos · · Score: 3, Interesting

    and keep in mind I am not all that up to speed with web services but are any of these XML files that are going to be used for authentication going to be encrypted?

    I can see a giant hole here in terms of a dedicated cracker intercepting un-encrypted XML files, parsing the information and then using that info for their own nefarious (yes its a big word) schemes.

    Again when it comes to Web Services I am not the most up to date, its just a thought

    1. Re:Just a thought by Erik+Hollensbe · · Score: 3, Interesting

      Well, I'm sure the spec calls for encryption (as it would never get accepted otherwise)....

      Then again, run a sniffer on your corporate/college network, and take a look at all those fools who use IMAP and POP without ssl to get their email. It's no better.

      (Hint: if you're forced to use one of these systems (like I am), make sure you're not using a password you care about -- and don't even bother to make it cryptic)

    2. Re:Just a thought by madro · · Score: 2
      The spec includes a reference to a W3C Proposed Recommendation (Oct. 3, 2002) for XML Encryption Syntax and Processing:
      "a process for encrypting data and representing the result in XML. The data may be arbitrary data (including an XML document), an XML element, or XML element content. The result of encrypting data is an XML Encryption element which contains or references the cipher data."
    3. Re:Just a thought by Zeinfeld · · Score: 3, Informative
      Well, I'm sure the spec calls for encryption (as it would never get accepted otherwise)....

      I suspect that I am the only person on this thread who has actually read the specification.

      SAML does not 'call for' encryption. It states that if confidentiality is a requirement then some form of encryption should be used. The actual encryption services are provided by either SSL or WS-Security.

      Then again, run a sniffer on your corporate/college network, and take a look at all those fools who use IMAP and POP without ssl to get their email. It's no better.

      This statement is remarkably clueless if you bother to read what SAML does. It is a single sign on protocol (amongst other things). Protecting the confidentiality of authentication credentials is not something easily overlooked when designing such protocols, particularly when it is largely based on research work done by VeriSign and Netegrity which are both specialists in cryptographic security.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
    4. Re:Just a thought by Zeinfeld · · Score: 2
      kudos to you for actually RTFSpec

      Not really, I was the editor.

      However its a bit worrying that a spec whos entire reason for existing is cross-authentication between two or more different sets of Web Services does not make encryption part of its core.

      Not at all. I was working on the WS-Security specification with Microsoft and IBM at the same time as I was editing SAML. The SAML group anticipated that WS-Security would be proposed as soon as the SOAP 1.2 specification started to stabilize.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
    5. Re:Just a thought by cranos · · Score: 2, Funny

      Okay the kudos for WTFSpec then ;)

      As I said I will try and read the spec tonight,family permitting.

  4. And as always by kaosrain · · Score: 3, Funny

    Pornography will be the first industry to utilize this new technology ;) -Kaos

    1. Re:And as always by packeteer · · Score: 2

      Its the perfect combination of technology/drugs/music/porn

      --
      unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
  5. Re:XML framework by Anonymous Coward · · Score: 2, Informative
    unlike software, a framework includes standards.

    an xml framework would use an xml to interface with the rest of the world.

    XML is better than plain-text because unlike keyvalue pairs it can have hierarchy. It makes things more secure because cookies are on a per-domain basis and are an either/or situation with no limits on use ("use my details for customisation, but not tracking").

  6. Re:XML framework by kiltedtaco · · Score: 2, Interesting

    Ok, so because there's a structure to the data transmitted between two computers, it's more secure?

    What?

  7. Re:An example by uberdave · · Score: 2

    That's what makes it so secure!

    --
    "I'm not impatient. I just hate waiting." - My Dad
  8. In Other News... by CySurflex · · Score: 5, Funny
    In Other News...

    The W3C announces the new "CONVERT everything to XML guidebook", including new XML underwear, a revised XSLT super hero, an XML car that drives you to any XPATH, XSD-SCHEMA based twinkies, and of course still supporting the girlfriend that doesn't answer any XML-QUERIES.

  9. But what I really want to know is... by Myco · · Score: 4, Funny

    Do they still think they're the Beatles?

    --
    My deviantArt site
  10. Implementation already included in MS FrontPage by PDHoss · · Score: 5, Funny


    !seineeWerAsreenignEepacsteN
    </password>

    --
    ======================================
    Writers get in shape by pumping irony.
    1. Re:Implementation already included in MS FrontPage by Citizen+of+Earth · · Score: 2

      <password noPeeking="1">
      !seineeWerAsreenignEepacsteN
      </password>

      That's strongly encrypted password considering that whitespace characters are significant in XML. No one will ever be able to reproduce exactly the same pattern of whitespace again! (Including me.)

  11. Make Oasis Open Source! by Lieutenant_Dan · · Score: 2, Funny

    I think it's great that Noel has decided to venture into the computer informatics field. He can leverage off the vast experience of the Open Source developer community to craft his new offering. With their sheer brilliance, the Open Source developer community can overcome most obstacles within a matter of hours.

    Only when we realize the massive potential of Open Source, can we repair the weak Gaussian Blur filters in Photoshop.

    --
    Wearing pants should always be optional.
  12. Compressing XML SAML? by Istealmymusic · · Score: 2, Insightful
    Anyone have any luck compressing SAML-encoded security assertions, or any use of XML for that matter? Maybe I'm old-fashioned, but to me having a plethora of XML tags without abbreviations of any kind is an inadequate use of the ASCII encoding character space. Which is clearer?
    D. E. Knuth, The art of computer programming. Vol. 2, Seminumerical algorithms, third ed., Addison-Wesley Series in Computer Science and Information Processing. Addison-Wesley, Reading, MA, 1997.
    or:
    <citation>
    <author><sirname>Knuth</sirname><givenname>Donald< /givenname><middlename>Ervin</middlename>
    <entitled>Art of Computer Programming, The</entitled>
    <volume>2<volume>
    <subtitle>Seminumerical Algorithms</subtitle>
    <edition><ordinal>3</ordinal></edition&gt ; <excerpt>Addison-Wesley Series in Computer Science and Information Processing</excerpt>
    <publisher>Addison-Wesley</publisher>
    <publishers_house>Reading, MA</publishers_house>
    <year>1997</year>
    I'm not knocking XML--but you have to admit it is extremely verbose compared to terse standard syntaxen available today. If one can combine the flexibility of XML with the tersity of unstructured documents, we'll in for a datum revolution.
    --
    "The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
    1. Re:Compressing XML SAML? by (H)elix1 · · Score: 2

      Which is clearer?
      D. E. Knuth, The art of computer programming. Vol. 2, Seminumerical algorithms, third ed., Addison-Wesley Series in Computer Science and Information Processing. Addison-Wesley, Reading, MA, 1997.
      or:
      (xml I'm not encoding)
      To the computer? The XML... My sax parser can understand one, allowing me to map every bit of info into a program without (much) hassle. The other, I have to write a parser to take the chunks of information and stuff it into my widget.

      I use to think the same way... until I was converting cobol copybooks into C struts and/or Java. Bandwidth is cheap compared to my time, and lord knows I left some really ugly code (three companies ago) for someone to figure out why the hell I'm grabbing a few characters which map to something important in the HL7 spec.

      --
      +++ UGUCAUCGUAUUUCU
    2. Re:Compressing XML SAML? by Zeinfeld · · Score: 2
      SAML is specified using XML Schema which in turn is specified in terms of the XML Infoset.

      If you want to reduce the size of the XML messages I suggest that you use a more efficient XML encoding rather than a compression algorithm.

      A compression algorithm such as LZW takes entire documents and makes them smaller, this is highly efficient in terms of space but computationally intensive. Decompression typically requires the whole message or at least a substantial part of it to be read before decompression can begin.

      Finaly, the problem is not that "is complex enough that nobody tends to parse it right." ASN.1 is a classical example of a good idea that was butchered in committee. The most half baked example of which being the DER encoding rules which are simply derranged. There is no 'tends' about it, no two full scale ASN.1 tools I have used can be relied on to interoperate. Some fail to interoperate with themselves.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
  13. It's good to see them approving open standards by Gregoyle · · Score: 2

    For the longest time, the Gallagher brothers were total wankers. It's very good to see them opening themselves to good things like open XML standards and frameworks.

    --

    "He's more machine now than man, twisted and evil."

  14. Re:An example by ebyrob · · Score: 2

    what the heck is that semicolon ';' doing in there? It's not even inside the root tag, wouldn't that be invalid XML?

  15. LGPL Version of SAML available by bornholtz · · Score: 2, Informative

    The project that I wrote uses SAML to pass authentication information to the various data providers.

    Anyone interested in it can check out the project at http://www.nchelp.org/Meteor.htm.
    If you're interested in looking at the code it can be downloaded from http://www.meteorcentral.com/
    It is licensed via the LGPL.

    --
    -- Freedom means letting other people do things you don't like.
  16. Re:An example by Call+Me+Black+Cloud · · Score: 2

    I enclosed the block with ecode tags and the system added it on. I'm open to suggestions on how to better display posts containing xml to be displayed. I guess I should have tried plain old text or code...

  17. OpenSAML by target562 · · Score: 2

    Those who are actually interested in using this stuff instead of just griping about things they don't understand should take a look at OpenSAML, a Java & C++ library for creating & grokking SAML assertions, at http://www.opensaml.org/

  18. Info about SAML by finkployd · · Score: 5, Informative

    I'm not in any way involved with OASIS (although Champaign Supernova was a cool tune) but I think I can clear up some misunderstandings about SAML.

    First up, it does not extend or alter XML specs in any way, it is a specification for creating authentication and authorization assertions USING XML.

    It will not compete with Passport, but federated authentication systems that could compete with Passport could be designed to use SAML (see Liberty Alliance, or Internet2's Shibboleth).

    IT does NOT (I said NOT) send your password from one place to another. The whole idea is to provide a common "security language" if you will to allow two different types of authentication realms to communicate. What happens is site A trusts site B, and they have worked out a deal where site B's users are allowed to access a resource at site A. So a user wanting to get into site A coming from site B would authenticate into their security realm at site B, and site B would send a SAML assertion to site A claiming that the user is who they say they are. This assertion is a blob of XML data that is digitally signed by site B. It can also be encrypted using XML-Encryption or just sent over an SSL connection.
    This is very useful in higher education (where I live) since some schools intelligently use KerberosV for authentication, while some poor deluded schools use something like LDAP (pop quiz, what is it about a directory access protocol that sounds like "authentication system"?). It is nice to allow these different systems to talk to each other using a common language.

    There are three types of SAML assertions, Authentication, Attribute, and Authorization Decision. An Authentication assertion simply claims that this user was able to log in. An attribute assertion contains information about the user (think Unix groups). Authorization decision is pretty much self explainatory.

    Yes, XML is an annoying buzzword which clueless managers (who learn everything they know from trade rags) think should be used for everything. However this is actually a legit use of the technology. If your goal is to have a generic security language, you might as well use a generic data format.

    To actually use some of this stuff, check out the OpenSAML project developed by Internet2's Middleware team. Also look at Liberty Alliance and Shibboleth.

    Finkployd

    1. Re:Info about SAML by finkployd · · Score: 2

      What is XML Encryption, btw?

      W3C XML Encryption Working Group

      Finkployd

  19. Re:An example by Zeinfeld · · Score: 5, Informative
    Basically you want a site/service you've authenticated with to authenticate you with other sites, so the spec lays out how this should be done. From the RFC (just a snippet):

    More utter clulessness, I edited the SAML specification. In the first place it is an OASIS standard, not an IETF RFC. Secondly the code fragment cited is completely bogus.

    SAML is the Security Assertion Markup Language. It allows security assertions to be specified. A security assertions consists of one or more statements, which may be subject to a number of conditions and contain additional advice.

    A SAML Authentication assertion may be used to specify that a subject has been authenticated using user name and password.

    There was a time when Karma Whores would actually read the material they were citing.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  20. Re:An example by Call+Me+Black+Cloud · · Score: 2

    Look Zigfried...it's a joke. See, it's supposed to be all about security, yet the password is stored in plain text in the "sample". Didn't you like the part about "display" being a bunch of *'s?

    I thought it was funny that the post was modded informative - I think it's hilarious that you took it so serious! Here's another xml snippet for you:

    <sucka>you</sucka>

  21. Re:TWEEEET!!! by ebyrob · · Score: 2

    so this must be impossible?

    <xml>
    &lt;
    </xml>

  22. Re:An example by ebyrob · · Score: 2

    Well, I probably sounded more shrill than I meant it.

    My point was merely that XML being so *simple* it's funny how difficult it can be to actually use for things at times...

  23. Re:encodings and syntax by Twylite · · Score: 2

    The syntax characters are not the same in all encodings. This is made completely clear by one of the appendices to the XML specification, which explains how a parser can determine the character encoding in use by examining the first four bytes of the file.

    Since an XML document must start with <?xml, in UTF-8 the first four bytes will be <?xm . In UTF-16, however, the fist four bytes will contain BE or LE 16-bit encodings for just the first two characters <?, because each character uses at least 16-bits to encode. You can also determine UTF-32 encodings and others.

    Encoding determines how to interpret the bits and bytes of the document into characters, and the control characters are not the same in all encodings. A parser that naively parses a document as ASCII will get the completely wrong idea if it is UTF-8 encoded, where there may be multiple bytes per character. A UTF-16 encoded document parsed as UTF-8 will be completely garbled.

    --
    i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
  24. Re:An example by Zeinfeld · · Score: 2
    Look Zigfried...it's a joke. See, it's supposed to be all about security, yet the password is stored in plain text in the "sample". Didn't you like the part about "display" being a bunch of *'s?

    It might be funny if there weren't so many people on slashdot who might actually think that way,.

    It is like Ronald Reagan making a 'joke' about bombing Russia, it wasn't funny because lots of people really did think he was a senile fool who might do something like that.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/