The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards
Last modified: December 29, 2009
XML Daily Newslink. Tuesday, 29 December 2009

A Cover Pages Publication
Provided by OASIS and Sponsor Members
Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by:
Sun Microsystems, Inc.

PAKE-Based Mutual HTTP Authentication for Preventing Phishing Attacks
Yutaka Oiwa, Hajime Watanabe, Hiromitsu Takagi; RCIS/AIST Technical Paper

A November 2009 technical paper from the Research Center for Information Security (RCIS), National Institute of Advanced Industrial Science and Technology (AIST) "describes a new password-based mutual authentication protocol for Web systems which prevents various kinds of phishing attacks. This protocol provides a protection of user's passwords against any phishers even if dictionary attack is employed, and prevents phishers from imitating a false sense of successful authentication to users. The protocol is designed considering interoperability with many recent Web applications which requires many features which current HTTP authentication does not provide. The protocol is proposed as an Internet Draft submitted to IETF, and implemented in both server side (as an Apache extension) and client side (as a Mozilla-based browser and an IE-based one). The paper also proposes a new user-interface for this protocol which is always distinguishable from fake dialogs provided by phishers."

From the corresponding IETF Internet Draft "Mutual Authentication Protocol for HTTP" abstract: This document specifies the "Mutual authentication protocol for Hyper-Text Transport Protocol". This protocol provides true mutual authentication between HTTP clients and servers using simple password-based authentication. Unlike Basic and Digest HTTP access authentication protocol, the protocol ensures that server knows the user's entity (encrypted password) upon successful authentication. This prevents common phishing attacks: phishing attackers cannot convince users that the user has been authenticated to the genuine website. Furthermore, even when a user has been authenticated against an illegitimate server, the server cannot gain any bit of information about user's passwords. The protocol is designed as an extension to the HTTP protocol, and the protocol design intends to replace existing authentication mechanism such as Basic/Digest access authentications and form-based authentications.

The protocol uses a mechanism in ISO/IEC 11770-4 (Information technology - Security techniques - Key Management - Part 4: Mechanisms Based on Weak Secrets), a kind of PAKE (Password-Authenticated Key Exchange) authentication algorithms as a basis. The use of PAKE mechanism allows users to use familiar ID/password based accesses, without fear of leaking any password information to the communication peer. The protocol, as a whole, is designed as a natural extension to the HTTP protocol, defined in RFC 2616. The design also considers replacement of current form-based Web authentication, which is very vulnerable against phishing attacks. To this purpose, several extensions to current HTTP authentication mechanism are introduced..."

See also: the IETF Internet Draft

Seven W3C API Publications Advance the Web Applications Stack
Staff, W3C Announcement

Members of the W3C Web Applications Working Group have published updates to seven specifications related to APIs that enhance the open Web platform as a runtime environment for full-featured applications. W3C now invites implementation experience for the two newest Candidate Recommendations specifications: (1) The Widget Interface - defines an application programming interface (API) for widgets that provides, amongst other things, functionality for accessing a widget's metadata and persistently storing data. (2) Selectors API Level 1 - defines methods for retrieving Element nodes from the DOM by matching against a group of selectors. 'Selectors', which are widely used in CSS, are patterns that match against elements in a tree structure; it is often desirable to perform DOM operations on a specific set of elements in a document. These methods simplify the process of acquiring specific elements, especially compared with the more verbose techniques defined and used in the past...

Public comment on three Last Call Working Drafts is invited through 30-June-2010: [i] Web Storage - introduces two related mechanisms, similar to HTTP session cookies, for storing structured data on the client side. The first is designed for scenarios where the user is carrying out a single transaction, but could be carrying out multiple transactions in different windows at the same time... The second storage mechanism is designed for storage that spans multiple windows, and lasts beyond the current session. In particular, Web applications may wish to store megabytes of user data, such as entire user-authored documents or a user's mailbox, on the client side for performance reasons. [ii] Web Workers - defines an API that allows Web application authors to spawn background workers running scripts in parallel to their main page; this allows for thread-like operation with message-passing as the coordination mechanism. [iii] the Server-Sent Events specification defines an API for opening an HTTP connection for receiving push notifications from a server in the form of DOM events. The API is designed such that it can be extended to work with other push notification schemes such as Push SMS...

The Working Group also updated two Working Drafts: The Web Sockets API specification defines an API that enables Web pages to use the Web Sockets protocol for two-way communication with a remote host. The Working Draft Web SQL Database specification introduces a set of APIs to manipulate client-side databases using SQL; the API is asynchronous, so authors are likely to find anonymous functions (lambdas) very useful in using this API. Note that "this specification has reached an impasse: all interested implementors have used the same SQL backend (Sqlite), but we need multiple independent implementations to proceed along a standardisation path... Should you be an implementor interested in implementing an independent SQL backend, please contact the editor so that he can write a specification for the dialect, thus allowing this specification to move forward..."

See also: the W3C Web Applications (WebApps) Working Group

Smart-Grid Spending to Hit $200 Billion by 2015
Lance Whitney, CNET

"Governments and utilities are expected to ramp up their investments in the electrical smart grid, spending a total of $200 billion worldwide from 2008 through 2015, according to a new Pike Research report. The term "smart grid" is shorthand for a number of technologies intended to automate and digitize management of electrical power. By computerizing the 20th century electrical system, utilities and others in the power industry hope to manage and control electrical output more efficiently and reliably. Though smart grid sounds like it's a single system, it's more an array of different tools and technologies, from smart meters to solar power, all designed to reduce costs, waste less energy, and provide better networking and communications between homes and utilities...

Technologies to automate the grid are expected to win around 84 percent of that $200 billion, says Pike. Smart metering systems to track and analyze the usage of electricity, gas, and water will grab 14 percent, while systems to provide juice to electrical cars will garner the remaining 2 percent... Our analysis shows that utilities will find the best return on investment, and therefore will devote the majority of their capital budgets, to grid infrastructure projects including transmission upgrades, substation automation, and distribution automation... Though the grid has seen some technological advancements, it still suffers from a lack of intelligence and automation that would provide greater efficiency and cost savings, according to Pike. Four key goals will drive higher investments in the grid: improving reliability and security; improving operating efficiencies and costs; balancing power generation supply and demand; and reducing the overall electrical system's impact on climate change..."

See also: the Pike Research report

Ten Big Cloud Trends for 2010
Patrick Thibodeau, ComputerWorld

"Cloud computing is clearly worming its way into the enterprise, especially as a testing and development environment and as a platform for less than critical apps and services. But cloud vendors are, in short, still trying to grow up and become a platform for business- critical applications. They're already working on standards and security issues, improving service level agreements and encouraging vendors to embrace the meter of pricing based on software use, not per-seat cost. With that as backdrop, 2010 will be all about moving enterprises to the cloud. Here are the trends driving it...

Excerpts: "(1) Commodity cloud price slashing continues: Amazon EC2 cut prices up to 15% in November. A small standard Linux-based instance went from 10 cents to 8.5 cents an hour. That same month, Google cut its Picasa photo storage pricing from $20 to $5 for a year... (2) A move to simpler cloud pricing models: 2010 may see a proliferation of 'all-you-can-eat pricing models,' where a user contracts for a set number of hours that includes a range of services... (3) Enterprise application vendors embrace metering; (4) Cloud providers increasingly offer enterprise-caliber SLAs; (5) New technologies will improve cloud use and performance; (6) Cloud providers address security concerns: In March 2009, a broad range of companies, both vendors and cloud users, formed the Cloud Security Alliance to create a consensus on the issue of security. Security is the number one inhibitor to cloud adoption... (7) Performance monitoring will become ubiquitous; (8) Open standards for cloud computing advance: Will customers be able to move easily between clouds? The answer depends on how quickly vendors and customers reach agreements on standards. There was a lot of activity in 2009 on this problem...; (9) Politics will drive decisions; (10) The cloud will decentralize IT decision-making..."

See also: the Cloud Security Alliance (CSA)

BPEL4People and WS-HumanTask 1.1 Reach Public Review
Alex Neihaus, Blog

"I am pleased to report that OASIS has announced that the WS-BPEL Extension for People (also known by its alliterative shorthand name, BPEL4People) 1.1 specification is available for public review. In addition, the companion specification, WS-HumanTask 1.1, is also available for public review. ActiveVOS 7 implements both WS-HumanTask and BPEL4People. In short, these two standards marry automated processing with a vastly updated and more intelligent approach to human workflow that (finally) makes including people in complex processes as easy as including any system task...

Prior to WS-HumanTask (and BPEL4People), creating human tasks usually required interaction with a proprietary workflow system that didn't necessarily integrate easily with the rest of the application architecture: One of the motivations of WS-HumanTask was an increasingly important need to support the ability to allow any application to create human tasks in a service-oriented manner. Human tasks had traditionally been created by tightly-coupled workflow management systems (WFMS). In such environments the workflow management system managed the entirety of a task's lifecycle, an approach that did not allow the means to directly affect a task's lifecycle outside of the workflow management environment (other than for a human to actually carry out the task). Particularly significant was an inability to allow applications to create a human task in such tightly coupled environments...

[...] We're very proud of the fact that ActiveVOS is built from the ground up on standards. We strongly believe that standards support is the entry price for any BPMS that hopes to change the way process applications are built and deployed..."

See also: the BPEL4People review announcement

Elements of a Successful Standard Community
Eran Hammer-Lahav, Blog

What specification communities need (and what existing standards bodies provide) are built-in participation, corporate by-in, editorial services, working group facilities, and legal hand-holding There is a long list of 'stuff' [standards development] communities need in order to be successful: (1) Platforms: tools that integrate email, messaging, and collaborative tools with the specification development process. We need a mailing list system that manages CLA signatures. We need the source control system that is directly linked to and from email messages sent to the list with ideas and contributions... (2) Participation: it is surprisingly hard to get people to actually contribute to an open community specification... (3) Editors: the most labor intensive part of writing a specification is writing it and editing it; for that reason (and scarcity of talent), it is very hard to find someone to edit open specifications... (4) Domains, websites, trademarks: someone needs to own and manage the logistics of creating public intellectual properties... (5) Open Source libraries: we are extremely poor in resources for writing quality libraries implementing these specifications; the majority of specifications do not even have a reference implementation or a comprehensive test suite... (6) Chairs / leads; (7) Governance models; (8) Documentations and guides; (9) Demos and experimental sites...

When we founded the Open Web Foundation, the one thing we all agreed on was that we were not creating another standards body. The foundation grew directly out of the OpenID and OpenSocial experiences. What got us here was the desire to avoid having to create these foundations for each specification. What we missed was the fact that 'these foundations' are in fact mini standards bodies. If we are going to create something to replace 'these foundations', it needs to provide at least the same level of services. This might sound like I am proposing turning the Open Web Foundation into a standards body, alongside the W3C, OASIS, IETF, and others. I am not—but I am proposing a significantly different direction..."

See also: the Open Web Foundation web site


XML Daily Newslink and Cover Pages sponsored by:

IBM Corporation
Microsoft Corporation
Oracle Corporation
Sun Microsystems, Inc.

XML Daily Newslink:
Newsletter Archive:
Newsletter subscribe:
Newsletter unsubscribe:
Newsletter help:
Cover Pages:

Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation


XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI:  —  Legal stuff
Robin Cover, Editor: