This issue of XML Daily Newslink is sponsored by:
ISIS Papyrus http://www.isis-papyrus.com
- Unicode 6.0 Beta Includes New Support for Mobile Phones
- First IETF Public Draft for DKIM and Mailing Lists
- NIST Publishes Draft Glossary of Key Information Security Terms
- Open Source ECM on the Rise
- China Moves Toward Mobile Payment Standard
- HASMAT: HTTP Application Security Minus Authentication and Transport
- Red Hat's CEO: Clouds Can Become the Mother of All Lock-Ins
- CFP: IEEE P1817 Standard for Consumer-Ownable Digital Personal Property
Unicode 6.0 Beta Includes New Support for Mobile Phones
Staff, Unicode Consortium Announcement
"The Unicode Consortium has announced the availability of the Unicode 6.0 beta. A smooth transition to each new version of the Unicode Standard is vital, because it is the foundation for all modern software and communications around the world, including all modern operating systems, browsers, and smartphones; modern web protocols (HTML, XML,...) and internationalized domain names.
Software developers and other experts are strongly encouraged to review the beta data files and documentation for Unicode 6.0 carefully, and to provide any feedback regarding errors or other issues to the Unicode Consortium. Software developers can also get an early start in testing their programs with the beta data files so they they will be ready for the release of Unicode 6.0 at the end of September.
A long-awaited new feature of Unicode 6.0 is the support of new characters for mobile phones. The emoji (pictographic) characters are in very widespread use, especially in Japan. They have distinct semantics, and are often substituted for related words. For the first time, there is a standard encoding for these characters that allows lossless interchange between different vendors. Unicode 6.0 also adds 222 new CJK unified ideographs in common use in China and Japan, and a number of other symbols and letters used by other languages...
The Unicode Consortium is a non-profit organization founded to develop, extend and promote use of the Unicode Standard and related globalization standards. The membership of the consortium represents a broad spectrum of corporations and organizations in the computer and information processing industry. Members are: Adobe Systems, Apple, DENIC eG, Google, Government of India, Government of West Bengal, IBM, Microsoft, Monotype Imaging, Oracle, SAP, Sybase, The University of California (Berkeley), The University of California (Santa Cruz), Yahoo!, plus well over a hundred Associate, Liaison, and Individual members..."
See also: earlier reference to XML and Unicode
First IETF Public Draft for DKIM and Mailing Lists
Murray Kucherawy (ed), IETF Internet Draft
IETF has published an initial level -00 Internet Draft for DKIM and Mailing Lists. This specification has been produced by members of the IETF Domain Keys Identified Mail (DKIM) Working Group.
DomainKeys Identified Mail (DKIM) Signatures (IETF RFC 4871, updated by RFC 5672) defines a mechanism by which email messages can be cryptographically signed, permitting a signing domain to claim responsibility for the introduction of a message into the mail stream. Message recipients can verify the signature by querying the signer's domain directly to retrieve the appropriate public key, and thereby confirm that the message was attested to by a party in possession of the private key for the signing domain.
DomainKeys Identified Mail (DKIM) allows an administrative mail domain (ADMD) to assume some responsibility for a message. As the industry has now gained some deployment experience, the goal for this document is to explore the use of DKIM for scenarios that include intermediaries, such as Mailing List Managers (MLMs)... An Administrative Mail Domain can be an author's organization, an operational relay (Mail Transfer Agent, or MTA) or one of their agents. Assertion of responsibility is made through a cryptographic signature. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.
In contrast to relays, there are intermediaries, such as mailing list managers (MLMs), that actively take delivery of messages, re-format them, and re-post them, almost always invalidating DKIM signatures. The goal for this document is to explore the use of DKIM for scenarios that include intermediaries. Questions that will be discussed include: (1) When should an author, or its organization, use DKIM for mail sent to mailing lists? (2) What are the tradeoffs regarding having an MLM verify and use DKIM identifiers? (3) What are the tradeoffs regarding having an MLM remove exisitng DKIM signatures prior to re-posting the message? (4) What are the tradeoffs regarding having an MLM add its own DKIM signature? [...]"
NIST Publishes Draft Glossary of Key Information Security Terms
Richard Kissel (ed), NIST Interagency Report
The U.S. National Institute of Standards and Technology (NIST) has announced publication of a 207-page Interagency Report "NIST IR 7298 (Draft) Revision 1: Glossary of Key Information Security." This glossary of common security terms has been extracted from NIST Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, NIST Interagency Reports (NISTIRs), and from the Committee for National Security Systems Instruction 4009 (CNSSI-4009).
The terms included are not all inclusive of terms found in the NIST publications, but do include most of the terms in those publications. The glossary does contain all of the terms and definitions from CNSSI-4009. The purpose of this glossary is to provide a central resource of definitions most commonly used in NIST information security publications and in CNSS information assurance publications.
Background: "We have received numerous requests to provide a summary glossary for our publications and make it available to practitioners. As a result of those requests, this glossary of common security terms has been extracted... Each entry in the glossary points to one or more source NIST publications, and/or CNSSI-4009, and/or supplemental sources where appropriate. A list of the supplemental (non-NIST) sources may be found on pages 206-207. As we are continuously refreshing our publication suite, terms included in the glossary come from our more recent publications. The NIST publications referenced are the most recent versions of those publications...
It is our intention to keep the glossary current by providing updates online. New definitions will be added to the glossary, as required, and updated versions will be posted to the Computer Security Resource Center (CSRC) Web site..."
See also: NIST Draft Publications
Open Source ECM on the Rise
Maxwell Cooter, NetworkWorld
"More than a third of organisations worldwide are lacking in support at senior management level for document management. That's according to the annual survey from the Association for Information and Image Management (AIIM) also known as the association for enterprise content management.
However, the landscape is changing. The survey also found that 40 percent of organisations have implemented, or are in the process of implementing, an enterprise content management (ECM) system. The biggest change of all is the growth in open source ECM systems now used by 6 percent of all organisations, with a further 9 percent expected to adopt such technology in future. In fact, the survey found that 64 percent of organisations would consider using open source technology in future... Open source ECM companies have been keen to build on that interest. Earlier this year, Alfresco announced record company results (despite the recession) and fellow open source vendor Nuxeo also doubled its revenue last year...
According to Nuxeo CEO, Cheryl McKinnon, the growing interest in open source ECM has been prompted by an acceptance of open source software within the business environment...
McKinnon said that Nuxeo's flexible architecture was also a factor in attracting customers but pointed out the ratification of CMIS last year also helped drive business: "With a lot of a buzz around CMIS, it's the open source vendors are the ones who have been building up the applications building blocks..."
See also: CMIS references
China Moves Toward Mobile Payment Standard
Mike Clendenin, InformationWeek
"China is looking to rally its nascent mobile payment industry around a single technology standard with the hope of cashing in on the world's largest mobile population. The move would quell a long-simmering debate about the merits of using local versus global technologies and focus the enormous resources of the country's telecom operators and banks on accelerating the roll-out of handsets and point-of-sale terminals.
Mobile payment is slowly gaining traction in China, with systems already in place in top-tier cities for subways, supermarkets, convenience stories, cafes, and fast food chains. China's mobile payment market size is estimated at $417 million in 2010, up 45% from 2009. Users are expected to nearly double to 150 million. These numbers mostly reflect niche forms of mobile payment, from IC embedded traffic cards to online payments made from a handset...
The country's largest wireless carrier, China Mobile, is indicating it will suspend deployment of a proprietary system based on a standalone 2.4GHz RF-SIM card. Its rival, China Unicom, has adopted Near Field Communication (NFC), an international standard based on the 13.56MHz frequency...
The standalone RF-SIM card makes it easier for subscribers to start using the system—all that is needed is to change the SIM card, not an entire phone..."
HASMAT: HTTP Application Security Minus Authentication and Transport
Peter Saint-Andre, IETF Posting
Discussion is now underway for the possible formation of a new IETF Working Group 'HTTP Application Security Minus Authentication and Transport (HASMAT). As proposed, this working group would work closely with IETF Apps Area WGs (such as HYBI, HTTPstate, and HTTPbis), as well as W3C WebApps working group(s).
The list of attacks is long and includes Cross-Site-Request Forgery (CSRF)-based attacks, content-sniffing cross-site-scripting (XSS) attacks, attacks against browsers supporting anti-XSS policies, clickjacking attacks, malvertising attacks, as well as man-in-the-middle (MITM) attacks against 'secure' (e.g. Transport Layer Security (TLS/SSL)-based) web sites along with distribution of the tools to carry out such attacks (e.g. sslstrip)... WG objectives: With the arrival of new attacks the introduction of new web security indicators, security techniques, and policy communication mechanisms have sprinkled throughout the various layers of the Web and HTTP. The goal of this working group is to standardize a small number of selected specifications that have proven to improve security of Internet Web applications. The requirements guiding the work will be taken from the Web application and Web security communities. Initial work will be limited to the following topics: media type sniffing, as discussed in draft-abarth-mime-sniff; same origin policy, as discussed in draft-abarth-origin; strict transport security, as discussed in the I-D 'draft-hodges-stricttransportsec'.
Proposed deliverables include: (1) document illustrating the security problems Web applications are facing and listing design requirements, and this document would be Informational; (2) A selected set of technical specifications documenting deployed HTTP-based Web security solutions, where these documents would be Standards Track specifications..."
Red Hat's CEO: Clouds Can Become the Mother of All Lock-Ins
Mikael Ricknäs, InfoWorld
"Cloud infrastructure 'needs to be defined and certified in a way that's friendly to customers, rather than to IT vendors,' according to Red Hat CEO James Whitehurst.
Lock-in comes in many different guises, including the inability to move workloads among different clouds, the difficulty of extracting data from the cloud and being forced to use the underlying virtualization platform chosen by the cloud provider... Red Hat is focusing much of its efforts on the first of these potential issues. Certifying cloud partners is the most important thing Red Hat has been working on this year...
The cloud certification program was announced last year, and Amazon Web Services was the first cloud provider to get certified. Since then, NTT and IBM have been added to the list of certified partners and more are on the way...
To be able to move a workload from a data center to a cloud or between two clouds, a connecting API (application programming interface) is needed, and there are a plethora of different ones being developed. Fewer would be better... however, the real challenge isn't the API, but ensuring that the application will run with the same performance when it has been moved. That is what Red Hat is focusing on. Getting an API in place that allows a workload to be moved is only 10 percent of the work, according to Whitehurst..."
CFP: IEEE P1817 Standard for Consumer-Ownable Digital Personal Property
Staff, IEEE Annoumcement
IEEE has issued a Call for Participation in connection with a new IEEE Working Group that will be developing the IEEE P1817 standard (Standard for Consumer-ownable Digital Personal Property). "The project is sponsored by the Microprocessor Standards Committee and co-sponsored by the Information Assurance Standards Committee of the IEEE Computer Society. The first working group meeting will be held on Wednesday, 14 July 2010, 10AM to 3PM at Huawei North America Headquarters.
The P1817 Working Group is specifying the behavior of consumer devices and applications and of online service providers so that consumers may enjoy all of the digital conveniences and ownership priviledges of the movies, music, books, games, and other digital products that they purchase, while honoring copyright and respecting the rights of authors and artists to profit from their creative works. We know only one fair way to avoid having a company or a computer decide with whom you can share your copyrighted purchases: let you decide for yourself, the same way you decide how to share your physical possessions—you share with people you trust.
It works like this: (1) Purchase a movie, song, book, game, etc. from an online vendor. (2) Download the encrypted content and store copies wherever you wish. (3) Send one of two (moveable but uncopiable) playkeys from the vendor to an online playkey bank of your choosing. (4) Download your other playkey into your TV, mobile phone, computer, or other device. Now any player device, belonging to anyone, can play the content if you give it a copy of the encrypted content, and you share the location and name of either playkey.
With P1817, product ownership is perpetual, and the tethers are severed that connect your purchases to their vendors. No one can restrict how you privately use or share them. However, because they are copyrighted, rightsholders retain the legal right to control public dissemination of their works. Therefore, just as a printed book can be lost if you share it with a stranger, you must be careful to share only with those you trust; anyone who shares either of your playkeys can move both of them to his own device and his own online playkey bank! The availability and mobility of playkeys lets you electronically share, lend, borrow, give, take, donate, and resell digital property, just as you do with your physical possessions..."
XML Daily Newslink and Cover Pages sponsored by:
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/