This issue of XML Daily Newslink is sponsored by:
ISIS Papyrus http://www.isis-papyrus.com
- Privacy Workshop: How Can Technology Help Improve Internet Privacy?
- The First IIW-Europe: Internet Identity Workshop Comes to the UK
- An Error-Tolerant Parsing Algorithm for HTTP Dates
- W3C Last Call for Accessible Rich Internet Applications (WAI-ARIA)
- GIS' Future Is With Crowds, Clouds, and 4-D
- Use Apache Shiro for User Authentication in Web Applications
- Is OAuth 2.0 Bad for the Web?
- Increasing Security of SCADA Systems in the Power Industry
Privacy Workshop: How Can Technology Help Improve Internet Privacy?
Hannes Tschofenig, IAB Announcement
An Internet Privacy Workshop is planned for December 8-9, 2010, hosted at the Massachusetts Institute of Technology (MIT). The workshop is co-organized by the Internet Architecture Board (IAB), World Wide Web Consortium (W3C), Internet Society (ISOC), and MIT. Participants are required to submit a position paper to attend the workshop, and submitters of accepted position papers will be invited to attend the workshop.
Background: "Who we are (e.g. our thoughts, dreams, feelings, DNA sequence), what we own (such as financial property), what we have experienced and how we behave (audio/visual/olfactory transcripts), and how we can be reached (location, endpoint identifiers) are among the most personal pieces of information about us. More and more of this information is being digitized and made available electronically. As this information becomes more available, it gets exposed in unpredictable and surprising ways: health record breaches are commonplace today... Reachability information, such as Caller-ID ordinarily concealed by anonymous calls, can be unexpectedly available. Sensor data such as geolocation and other private information stored on personal computers and mobile devices become available to Web sites through dedicated APIs... Personal details are shared and aggregated through social networks. The implementation and use of increasingly more powerful technical mechanisms can simplify, and perhaps even encourage, intrusions by third parties who have no relationship with the end user..."
This "Internet Privacy Workshop" aims to "discuss the experience and approaches taken by technically minded people when designing privacy into protocols and architectures. To frame the discussion we suggest, as examples, to investigate privacy in the following areas: (1) Federated Authentication and Web Identity Management; (2) Real-Time Communication Systems; (3) Mobility Management; (4) Location Protocols; (5) Advanced Web APIs; (6) Social Networks; (7) Store-and-Forward Architectures...
Position papers should address the core privacy challenges, the approach taken to deal with them, and the status of the work. To draw a relationship with other application areas and other privacy properties we would like to discuss how specific approaches can be generalized. Providing background of the work insofar that others are able to evaluate whether the proposal provides insight from a research point of view or offers deployment experience is important even if we welcome both types of contributions... We welcome write-ups of existing concepts, deployed technologies, visionary ideas for how to tackle Internet privacy problems, and lessons learned from successful or failed attempts of privacy-enhancing technologies... Furthermore, both the IAB and the W3C TAG are interested in learning about guidelines and recommendations regarding privacy for the development of standards in these two organizations. It is expected that the input from workshop participants will lead to new work within these two organizations in the area of privacy..."
The First IIW-Europe: Internet Identity Workshop Comes to the UK
Staff, IIW-Europe Workshop Organizers
"The First IIW-Europe Meeting will be held on October 11, 2010 in London at the University of London, MacMillan Hall. The Internet Identity Workshop (IIW) is a working group of the Identity Commons and has been convened in California semi-annually since the fall of 2005. The 10th IIW was held this past May and had the largest attendance thus far. There have been many requests to have an IIW come to Europe, and now the emerging interfederation at the European scale is providing a timely basis to have one in London. This event immediately precedes RSA and has the theme of Identity Across Borders and Sectors.
IIW's focus is on 'user-centric identity' or 'user-driven identity' -- addressing the technical and adoption challenge of how people can manage their own identity across the range of websites, services, companies and organizations with which they interact. The focus of this first IIW-Europe will be on the whole range of global and European initiatives in this space.
Unlike other identity conferences, IIW's focus is on the use of identity management approaches based on open standards that are privacy protecting. IIW is a unique blend of technology and policy discussions where everyone from a diverse range of projects doing the real-work of making this vision happen are able to gather to work intensively.
Relevant IIW Workship topics include: Mydex; UK online identity; PV Net; German ID Card; Various national ID schemes; Various loyalty schemes; TRM Project; National e-Identity Programmes; European eID Interoperability Platform (STORK); OpenID; IMI Information Cards; Personal Data Protection and the Digital Economy; NIH pilot adoption of Open Identity technologies; Certification of industry open identity credentials; Business models for higher LOA open identity credentials; Government, Commerce and Research and Education Identities; Re-engineering of multiple major services -- health, benefits, pensions, tax..."
See also: the Internet Identity Workshop web site
An Error-Tolerant Parsing Algorithm for HTTP Dates
Bjoern Hoehrmann (ed), IETF Internet Draft
IETF has released an Internet Draft for the specification Parsing Malformed HTTP Dates. The HTTP/1.1 specification "encourages recipients of date values, as found in HTTP headers like Date and Last-Modified, to be robust in accepting date values that may have been sent by non-HTTP software. This memo defines an error-tolerant parsing algorithm based on the date formats permitted by the HTTP specification for this purpose.
From the document Introduction: "HTTP/1.1 (section 3.3) defines three different date formats for use in HTTP. Some deployed software generates values that do not strictly match any of the three formats, and the HTTP specification encourages implementations to be robust in accepting them. Differences include for instance whether numeric values are padded with spaces or with leading zeros, and which delimiters are used. This specification defines a grammar for HTTP date values that tolerates these minor differences to accomodate malformed formats that are known to occur relatively frequently in malformed values and are supported by widely deployed implementations. No effort is made to mirror a particular set of existing implementations or entirely different date formats.
This specification does not update the HTTP specification; values that match the grammar in this document but not the requirements of the HTTP standard continue to be non-compliant. Implementations continue to conform (or not) to the HTTP specification whether or not they follow the requirements defined in this specification.
The incorporated ABNF grammar corresponds to the HTTP-Date grammar with some minor modifications: the leading weekday is a free-form string separated from the remainder by a comma or white space, hyphen and space are valid separators between month, day, and year regardless of the exact format, an optional trailing time zone (a free form string) is allowed for all variants, the three-letter month names may be succeeded by other letters to accomodate spelled-out names, and sequences of white space and digits do not have to have the exact length specified in the HTTP specification..."
W3C Last Call for Accessible Rich Internet Applications (WAI-ARIA)
Lisa Pappas, Rich Schwerdtfeger, Lisa Seeman (eds), W3C Technical Report
Members of the W3C Protocols and Formats Working Group (PFWG) have published a Last Call Working Draft for Accessible Rich Internet Applications (WAI-ARIA) 1.0. From the Abstract: "Accessibility of web content requires semantic information about widgets, structures, and behaviors, in order to allow assistive technologies to convey appropriate information to persons with disabilities. This specification provides an ontology of roles, states, and properties that define accessible user interface elements and can be used to improve the accessibility and interoperability of web content and applications. These semantics are designed to allow an author to properly convey user interface behaviors and structural information to assistive technologies in document-level markup."
This document is part of the WAI-ARIA suite. The PFWG also published updated Working Drafts of the WAI-ARIA User Agent Implementation Guide that provides guidance on how browsers and other user agents should expose WAI-ARIA features to platform accessibility APIs; WAI-ARIA Authoring Practices that describes how Web content developers can develop accessible rich Web applications using WAI-ARIA; and WAI-ARIA Primer that provides a technical introduction.
Public comment on WAI-ARIA working drafts is invited through October 29, 2010. In particular, The PFWG would like to know: (1) Does the role ontology provide the information and operations that people with disabilities need in order to access and operate richly interactive Web applications? (2) Is the usage of roles, states, and properties clear? (3) Are conformance requirements clear, and sufficient but not excessive? (4) Does the algorithm to calculate accessible name work for user agents and for authors? (5) Does the integration of WAI-ARIA into host languages meet the needs both of the host language and of accessibility? (6) Is the explanation of presentation inheritance clear?
See also: the WAI-ARIA 1.0 specification
GIS' Future Is With Crowds, Clouds, and 4-D
Patrick Marshall, Government Computer News
"After years of development in the background, geospatial technologies are exploding, both in government and consumer markets... Now, untrained users routinely access sophisticated geographic information systems via the Internet using anything from laptop PCs to smart phones and dedicated geospatial devices. 'It's crowd and cloud', according to Mark Reichardt, president of the Open Geospatial Consortium (OGC), a nonprofit standards organization; 'We are seeing this movement of geospatial and location-service functionality seamlessly into the business decision cycle and business tools and consumer services'...
The Pacific Disaster Center, a project that the Defense Department largely funded, showcased its newly released DisasterAware platform, which continually monitors information feeds from meteorological and geological agencies and delivers information and alerts in real time to subscribers. Users can share analyses and situation reports and can query the underlying databases of DisasterAware.
ESRI has launched a new site (ArcGIS.com) which demonstrates how effectively maps and data can be shared in a cloud environment: Geographic information will increasingly be put on the Web, and that will make for a more open society. It will mean that geographic information is embedded and used and available in more thing. And more people will be consuming geospatial data in 3-D and even 4-D.
According to OGC's Reichardt, his group is focused on two emerging technologies: Short Message Service (SMS) geotagging and real-time sensors: 'We have a working group right now that is developing an open standard for geoSMS, so that SMS messages can be geotagged. Apart from consumer applications, he said, such tagging would allow emergency services to see the location of someone sending an SMS message. When there is a disaster, sometimes the communications channels are limited but still available, and sometimes SMS messages can still get through'..."
See also: the OGC Candidate Open GeoSMS standard
Use Apache Shiro for User Authentication in Web Applications
Nathan A. Good, IBM developerWorks
Apache Shiro is a framework that you can use for authentication and authorization. Shiro "is a powerful and easy-to-use security framework that performs authentication, authorization, cryptography, and session management. For authentication is supportd logins across one or more pluggable data sources—LDAP, JDBC, Kerberos, ActiveDirectory, etc. Authorization features allow one to perform access control based on roles or fine-grained permissions, also using pluggable data sources. With cryptography you secure data with the easiest possible Cryptography APIs available, giving you power and simplicity beyond what Java provides by default. Session Management enables you to use sessions in any environment, even outside web or EJB containers. Easily cluster sessions in large scale applications." This article gives a few examples of how to use Shiro in a Java application and provides an overview of how to use it in a Grails web application...
When securing systems, security elements authentication and authorization are important. Though the two terms mean different things, they are sometimes used interchangeably because of their respective roles in application security. Authentication deals with verifying a user's identity. When you authenticate users, you confirm that they really are who they claim to be. In most applications, authentication is done through a combination of a user name and password. As long as users choose passwords that are sufficiently difficult for others to guess, the combination of a user name and password is usually enough to establish identity. However, other means of authentication, such as fingerprints, certificates, and generated keys, are also available. Once the authentication process successfully establishes identity, authorization takes over to restrict or grant access.
Because Shiro offers authentication with so many different data sources, as well as Enterprise Session Management, it's ideal for implementing single sign-on (SSO)—a desirable feature in large enterprises where users routinely log in to and use many different systems in one day. These data sources include JDBC, LDAP, Kerberos, and Microsoft Active Directory Directory Services (AD DS).
Shiro's Session object lets you use a user's session without having an HttpSession. By using a generic Session object, you can use the same code even if that code is not running inside a web application. By avoiding the requirement of application server or web application server session management, you can use Shiro even in command-line environments. In other words, the code that you write using Shiro's API lets you build command-line applications that connect to an LDAP server and is the same code inside a web application that accesses the LDAP server..."
See also: the Apache Shiro web site
Is OAuth 2.0 Bad for the Web?
Jean-Jacques Dubray, InfoQueue
"Composite Applications went from being a curiosity to mainstream in less than five years. One of the key architectural issues when building composite applications is the double authentication that is required to access a particular service and the corresponding authorization rules: in general we need to authenticate both the (composite) application invoking the service and the user of the composite application itself while having the ability to define the service access rules both for the application and the user. This is particularly difficult in a client/server middleware environment, including HTTP, which has been built for decades on the premise that the "client" represents a single identity: either a software client or a user but not both.
A typical composite application today uses popular APIs (such as Twitter, Facebook or Google) through which it requires access to user specific data. In the early days, composite application developers used to require the knowledge of the user credentials for each service in order to access their data to mash them up in a valuable way...
OAuth is a protocol layered on top of HTTP and HTTP/S enables a user of both a composite application and a service to grant partial access to the service to the application. It is based on a three party trust federation: user-application, user-service and application-service. Very quickly, the group published the OAuth 1.0 specification which people started to use. OAuth 1.0 may have been published too quickly and was the target of criticisms. It was quickly followed by a competing proposal WRAP (Web Resource Authorization Protocol), which became a profile of OAuth after a rapid standardization effort. Since then, the OAuth working group has been working on OAuth 2.0...
Composite Applications are rapidly becoming a key vector of innovation adding value to otherwise plain data like tasks, friends or TV guides. At the same time, OAuth is poised for a rapid adoption because it solves an acute problem and has gained some momentum in the industry with the support of Facebook, Twitter.... Like often in the standardization process, we are now at crossroads, and our industry has to choose one path or the other: do we support simpler security mechanisms to allow a larger group of developers to build these composite applications, or do we implement stronger ones that would allow other developers to build mores services that interoperate and compete with existing ones?..."
Increasing Security of SCADA Systems in the Power Industry
M. E. Kabay, Network World
"In this sixth article in a series focusing on the need for improved information assurance and cyber situational awareness in the electric power industry, we continue a survey of government and industry consensus about the need for increased security of SCADA systems in the power industry.
A 2003 DHS report asserted that the Internet is becoming a new battleground for warfare, according to experts concerned about the potential of a cyberattack to cripple the public infrastructure... In the Mideast conflict, pro-Palestinian hackers have successfully taken down Web sites of the Israeli Parliament, the Israeli Defense Force, the Foreign Ministry, the Bank of Israel, the Tel Aviv Stock Exchange, and others, according to a report by Dartmouth College's Institute for Security Technology Studies.
Dartmouth's study charts how political cyberattacks often precede physical attacks. Cyberattacks after U.S.-led military action are 'extremely likely' and could possibly be catastrophic, according to the report. Information systems—like electrical infrastructures, water resources, and oil and gas—should be considered likely targets...
Steven Iatrou, Senior Lecturer, Department of Information Science, Graduate School of Operational and Information Sciences, Naval Postgraduate School: 'SCADA is everything. It's the heart and soul of the systems. If you can get into that, then you have control or you disrupt their control. Or if you can even get them to think you're in there, then you can lower their confidence in their ability to manage their systems'..."
See also: the Open SCADA Security Project
XML Daily Newslink and Cover Pages sponsored by:
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/