AICC HACP not insecure if calling content at server
Posted on October 07 2004 by John Kleeman
in reponse to 'QTI Ready' almost ready
This is an interesting article, and this comment is not on QTI Ready. But you mention that you feel that AICC HACP was unsafe.
But I'm not sure that this is generally true. Questionmark supports AICC HACP and SCORM and other means of interfacing, and we have quite a good view of this from practical use.
But although there may be cases where AICC isn't secure (e.g. if the content is local), there are some cases where it is quite secure and probably more secure than SCORM.
Here is what happens when an LMS like Saba or Thinq or Plateau or any other AICC HACP LMS calls an assessment engine like Questionmark Perception:
1. The user navigates to the place in the LMS where a call is made to the assesssment
2. The LMS calls the assessment server using HTTP to communicate from one server to another (not via the browser)
3. The LMS and assessment server privately exchange data (e.g. who the student is)
4. The assessment is then run from the assessment server to the student browser
5. Results are then passed back from server to server, again without going through the participant browser
6. The LMS takes control
So whereas in SCORM, results go via the participant browser, in AICC HACP when content is delivered from a server, the two servers talk to each other and this is pretty secure. AICC is old fashioned, it doesn't use XML, but in the server to server case, it's more secure than SCORM. You can see a copy of a paper from our technical director Paul Roberts at an AICC meeting in 2002 at http://www.aicc.org/docs/meetings/04feb2002/api-security.zip which explains this more.
Although we like others thought that AICC HACP might be dying, in fact it is used very widely and increasingly, and it looks like it is here to stay as a de facto and very useful standard.
Replies to this post: