DOCSLIB.ORG

On Message-Level Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

On Message-Level Security Christian Mainka (Place of birth: Hattingen, Germany) Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakultät für Elektrotechnik und Informationstechnik an der Ruhr-Universität Bochum 1st. Supervisor: Prof. Dr. Jörg Schwenk Ruhr-University Bochum 2nd. Supervisor: Prof. Dr. Joachim Posegga University of Passau Bochum, 20th December 2016 Author contact information: [email protected] This thesis was submitted to the Faculty of Electrical Engineering and Infor- mation Technology of Ruhr-University Bochum on December the 20th, 2016 and defended on March the 28th, 2017. Examination committee: Prof. Dr. Thorsten Holz Ruhr-University Bochum Committee Chair Prof. Dr. Jörg Schwenk Ruhr-University Bochum 1st. Supervisor Prof. Dr. Joachim Posegga University of Passau 2nd. Supervisor Prof. Dr. Dorothea Kolossa Ruhr-University Bochum Committee Member Prof. Dr. Markus Dürmuth Ruhr-University Bochum Committee Member Abstract The advent of message-level security raised with the upcoming popularity of multi-party application architectures, in which securing messages only during transport does not fulfill the demands. Security features are directly added to the exchanged messages so that they can be forwarded to further entities with- out losing their protection, even if an untrusted party is involved in between. This thesis analyzes message-level security in two widely-used application areas: web services and Single Sign-On (SSO). Through the described methodology, numerous security issues in various software libraries and websites were identi- fied, reported and fixed. The first part of the thesis analyzes the security of SOAP-based web services. This work found novel attack techniques with the focus on automatic detection and circumvention of existing countermeasures. With WS-Attacker, a software developed in this context, the first fully-automatic penetration test software for web service security is designed and implemented. Its application led to the discovery of numerous vulnerabilities in well-known web service frameworks, such as Apache CXF, and in the IBM DataPower Security Gateway. The issues were reported to the developers and the implementation flaws were fixed. The second part of the thesis examines the security of SSO systems. Generic attack concepts applicable to arbitrary SSO protocols are developed and then applied to the protocols (1.) OpenID, (2.) OpenID Connect, and (3.) Security Assertion Markup Language (SAML). These attack concepts are based on a newly introduced SSO Attacker Paradigm which is founded by the question whether the Identity Provider (IdP) in an SSO protocol can always be viewed as a Trusted Third Party (TTP). The research results in this thesis show that in modern SSO systems, an attacker may integrate his malicious IdP and, thus, they reveal that the answer is no. The malicious IdP can then be used for the detection of security vulnerabilities and for their exploitation. Based on the SSO Attacker Paradigm, the attack techniques are evaluated. Vulnerabilities are identified in different OpenID, OpenID Connect, and SAML implementations. The security of widespread systems, such as Software-as-a- Service Cloud Providers (SaaS-CPs), can be broken. We show how to success- fully log in to foreign accounts, read out local files stored on the server, and to efficiently execute Denial-of-Service (DoS) as well as complex Server-Side Request Forgery (SSRF) attacks. The work described in this thesis influenced the development of many web service frameworks and SSO systems. Within this context, attacks on the spe- cification of OpenID Connect are shown that allow to break the main target of the protocol – the authentication of the End-User – regardless of the underly- ing implementation. A countermeasure has been proposed in collaboration with the official OAuth and OpenID Connect workgroups of the Internet Engineering Task Force (IETF). Due to the attacks, the specifications of OAuth and OpenID Connect are currently being updated and adjusted. Kurzfassung Die vorliegende Dissertation beschäftigt sich mit dem Thema Nachrichtensicher- heit in Webservices und Single Sign-On (SSO) Systemen. Durch die in der Dis- sertation beschriebene Methodologie sind zahlreiche Sicherheitslücken in ver- schiedenen Softwarebibliotheken und Webseiten identifiziert, gemeldet und be- hoben worden. Im ersten Teil der Dissertation wird die Sicherheit von SOAP-basierten Web- services untersucht. Es werden neuartige Angriffstechniken mit dem Fokus auf automatischer Erkennung und Umgehung von existierenden Gegenmaßnahmen vorgestellt. Mithilfe der in diesem Rahmen entwickelten Software WS-Attacker ist es möglich, vollautomatische Penetrationstests durchzuführen. Dadurch kon- nten zahlreiche Schwachstellen in bekannten Webservice-Frameworks wie Apache CXF, sowie im IBM DataPower Security Gateway festgestellt werden. Diese sind den Herstellern gemeldet und durch die Mithilfe des Autors behoben wor- den. Im zweiten Teil der Dissertation wird die Sicherheit von SSO Systemen un- tersucht. Es werden generische Angriffskonzepte entwickelt, die anschließend auf die Protokolle (1.) OpenID, (2.) OpenID Connect und (3.) SAML angewen- det werden. Diese Konzepte beruhen auf einem neuen Angriffsparadigma, das durch die Dissertation eingeführt wird. Das Paradigma basiert auf der Frage, ob der Identity Provider (IdP) in einem SSO Protokoll stets als vertrauenswürdige dritte Partei angesehen werden kann. Die Dissertation zeigt, dass diese Frage verneint werden muss, da in modernen SSO Protokollen ein Angreifer seinen eigenen, bösartigen IdP verwenden kann. Dieser kann für das Auffinden von Schwachstellen (Vulnerability Detection) und für dessen Ausnutzung (Vulnera- bility Exploitation) verwendet werden. Auf Basis des Paradigmas werden die entwickelten Angriffstechniken evaluiert. Dabei werden Schwachstellen in verschiedenen OpenID, OpenID Connect und SAML Implementierungen identifiziert. Die Sicherheit von weit verbreiteten Systemen, wie Software-as-a-Service Cloud Anbietern, konnte gebrochen wer- den. Es wird gezeigt, wie die Anmeldung in fremden Accounts, das Auslesen von lokalen auf dem Server gespeicherten Dateien, effiziente Denial-of-Service sowie komplexe Server-Side-Request-Forgery Angriffe erfolgreich durchgeführt werden konnten. Im Rahmen der Dissertation werden darüber hinaus Angriffe auf die Spe- zifikation von OpenID Connect gezeigt. Diese ermöglichen es, das Hauptziel des Protokolls – die Authentifizierung des Endbenutzers – unabhängig von der genutzten Implementierung zu brechen. Gemeinsam mit den offiziellen OAuth- und OpenID Connect-Arbeitsgruppen der Internet Engineering Task Force (IETF) ist eine Gegenmaßnahme entwickelt worden. Auf Grund der Angriffe werden die Spezifikationen von OAuth und OpenID Connect zurzeit erneuert und angepasst. Acknowledgements This work is the result of a four-year journey of intensive research. Without the support of many people, it would not have been possible. First, I want to thank my supervisor Jörg Schwenk. He gave me all the freedom, support, and excellent advises to improve and refine my investigations. Working for him was a real pleasure. I would like to thank all my colleagues at the Chair for Network and Datase- curity (NDS). Especially, I want to thank Juraj Somorovsky for introducing me into the world of XML Security and web services, and for all the nice places in the world that I could visit with him. A very special thanks to Vladislav Mladenov, who showed me the amazing world of SSO attacks. Without him, it would have been impossible to break all the protocols. I further want to thank Marcus Niemietz, for all the fruitful discussions and introducing me to XSS and web security; Dennis Felsch for maintaining the incredible cloud infrastructure and for all the coffee; Florian Feldmann for all the late-night office discussions (when all the other people have left) and for whisky; Furthermore, I want to thank all my research co-authors and my students for making it possible to write all these awesome research papers. Last but not least, I want to thank my parents, my brother, and my girlfriend Janine. Without their continuous support in every situation, this work would have been impossible. Contents 1 Introduction 1 1.1 Topics and Contributions . 2 1.2 Publications . 4 1.2.1 Publications Contributing to Chapter 2 . 4 1.2.2 Publications Contributing to Chapter 3 . 6 1.2.3 Other Publications . 7 2 Web Services Security 9 2.1 XML and DTD Parsing Security . 10 2.1.1 XML Foundations . 10 2.1.2 Denial-of-Service . 13 2.1.3 File System Access . 16 2.1.4 Server-Side Request Forgery . 18 2.1.5 Additional Attack Techniques . 18 2.2 Web Service Foundations . 18 2.2.1 Processing a Web Service Request on Server Side . 19 2.2.2 XML Security . 20 2.2.3 Web Services Security . 20 2.3 WS-Attacker – Penetration Testing Tool for Web Services Security 22 2.3.1 Web Services Attacks . 23 2.3.2 Concept for a Web Services Penetration Testing Tool . 27 2.3.3 WS-Attacker – Implementation Details . 29 2.3.4 Evaluation . 35 2.3.5 Summary . 37 2.4 Denial-of-Service Penetration Testing on Web Services . 37 2.4.1 XML-based Denial-of-Service Attacks . 38 2.4.2 Automatic Testing of Denial-of-Service Attacks for Web Services . 39 2.4.3 Evaluation . 45 2.4.4 Summary . 47 2.5 Adaptive and Intelligent Fully-Automatic Detection of Denial-of- Service . 47 2.5.1 Denial-of-Service Complexity . 48 2.5.2 Design . 50 2.5.3 Implementation . 51 2.5.4 Practical Evaluation . 54 2.5.5 Summary . 57 2.6 How to Break XML Encryption – Automatically . 57 2.6.1 Attacks on XML Encryption . 59 2.6.2 Automatic XML Encryption Attack . 63 2.6.3 Practical Evaluation . 67 2.6.4 Summary . 72 2.7 Related Work . 72 2.8 Conclusions . 74 vii Contents 3 Single Sign-On Security 75 3.1 Conceptual Overview on Single Sign-On Protocols . 77 3.1.1 Protocol Phases . 77 3.1.2 SSO Token . 78 3.2 Single Sign-On Protocol Classification . 79 3.2.1 OAuth-Family Protocols . 80 3.2.2 Other SSO Protocols . 82 3.2.3 Summary . 83 3.3 How to Analyze SSO? . 84 3.4 Using Malicious IdPs for Analyzing SSO .
Recommended publications
  • How to Secure Your Web Site Picked up SQL Injection and Cross-Site Scripting As Sample Cases of Failure Because These Two Are the Two Most Reported Vulnerabilities

    How to Secure Your Web Site Picked up SQL Injection and Cross-Site Scripting As Sample Cases of Failure Because These Two Are the Two Most Reported Vulnerabilities

    How to Secure your Website rd 3 Edition Approaches to Improve Web Application and Web Site Security June 2008 IT SECURITY CENTER (ISEC) INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN This document is a translation of the original Japanese edition. Please be advises that most of the references referred in this book are offered in Japanese only. Both English and Japanese edition are available for download at: http://www.ipa.go.jp/security/english/third.html (English web page) http://www.ipa.go.jp/security/vuln/websecurity.html (Japanese web page) Translated by Hiroko Okashita (IPA), June 11 2008 Contents Contents ......................................................................................................................................... 1 Preface ........................................................................................................................................... 2 Organization of This Book ........................................................................................................... 3 Intended Reader ......................................................................................................................... 3 Fixing Vulnerabilities – Fundamental Solution and Mitigation Measure - .................................... 3 1. Web Application Security Implementation ............................................................................... 5 1.1 SQL Injection .................................................................................................................... 6 1.2
  • Realization of the System for Access Management and Identity Federation with Use of Service Mojeid and the Product Dirx Access

    Realization of the System for Access Management and Identity Federation with Use of Service Mojeid and the Product Dirx Access

    MASARYKOVA UNIVERZITA FAKULTA}w¡¢£¤¥¦§¨ INFORMATIKY !"#$%&'()+,-./012345<yA| Realization of the system for access management and identity federation with use of service mojeID and the product DirX Access. DIPLOMA THESIS Jakub Šebök Brno, Autumn 2014 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Jakub Šebök Advisor: RNDr. JUDr. Vladimír Šmíd, CSc. ii Acknowledgement I would like to thank firstly to my technical consultant Filip Höfer for his guidance. Secondly I thank to Mr. Šmíd for his advice about methodology and formal formatting of the thesis. And lastly I would like to thank all who survived by my side and cheered me up espe- cially during last months before the deadline. These are namely my mom, my girlfriend, Anton Gierlti, Matej Chrenko, Buddha and Bill Cosby. Thank you all again for enormous support. iii Abstract The aim of this thesis is implementation of a client program on the side of DirX Access which cooperates with the Czech identity provider mojeID. This cooperation consists of authenticating users by third party authority such that their credentials can be used for further processing in access management mechanism of DirX Access. iv Keywords security, SSO, OpenID, policies, RBAC, identity, mojeID, access man- agement, authentication, authorization v Contents 1 Introduction ............................3 2 Internet Security and Terminology ..............5 2.1 Identity ............................5 2.2 Identity Provider and Relying Party ...........6 2.3 Claims vs.
  • Understanding the Value of Arts & Culture | the AHRC Cultural Value

    Understanding the Value of Arts & Culture | the AHRC Cultural Value

    Understanding the value of arts & culture The AHRC Cultural Value Project Geoffrey Crossick & Patrycja Kaszynska 2 Understanding the value of arts & culture The AHRC Cultural Value Project Geoffrey Crossick & Patrycja Kaszynska THE AHRC CULTURAL VALUE PROJECT CONTENTS Foreword 3 4. The engaged citizen: civic agency 58 & civic engagement Executive summary 6 Preconditions for political engagement 59 Civic space and civic engagement: three case studies 61 Part 1 Introduction Creative challenge: cultural industries, digging 63 and climate change 1. Rethinking the terms of the cultural 12 Culture, conflict and post-conflict: 66 value debate a double-edged sword? The Cultural Value Project 12 Culture and art: a brief intellectual history 14 5. Communities, Regeneration and Space 71 Cultural policy and the many lives of cultural value 16 Place, identity and public art 71 Beyond dichotomies: the view from 19 Urban regeneration 74 Cultural Value Project awards Creative places, creative quarters 77 Prioritising experience and methodological diversity 21 Community arts 81 Coda: arts, culture and rural communities 83 2. Cross-cutting themes 25 Modes of cultural engagement 25 6. Economy: impact, innovation and ecology 86 Arts and culture in an unequal society 29 The economic benefits of what? 87 Digital transformations 34 Ways of counting 89 Wellbeing and capabilities 37 Agglomeration and attractiveness 91 The innovation economy 92 Part 2 Components of Cultural Value Ecologies of culture 95 3. The reflective individual 42 7. Health, ageing and wellbeing 100 Cultural engagement and the self 43 Therapeutic, clinical and environmental 101 Case study: arts, culture and the criminal 47 interventions justice system Community-based arts and health 104 Cultural engagement and the other 49 Longer-term health benefits and subjective 106 Case study: professional and informal carers 51 wellbeing Culture and international influence 54 Ageing and dementia 108 Two cultures? 110 8.
  • Next-Gen Technology Transformation in Financial Services

    Next-Gen Technology Transformation in Financial Services

    April 2020 Next-gen Technology transformation in Financial Services Introduction Financial Services technology is currently in the midst of a profound transformation, as CIOs and their teams prepare to embrace the next major phase of digital transformation. The challenge they face is significant: in a competitive environment of rising cost pressures, where rapid action and response is imperative, financial institutions must modernize their technology function to support expanded digitization of both the front and back ends of their businesses. Furthermore, the current COVID-19 situation is putting immense pressure on technology capabilities (e.g., remote working, new cyber-security threats) and requires CIOs to anticipate and prepare for the “next normal” (e.g., accelerated shift to digital channels). Most major financial institutions are well aware of the imperative for action and have embarked on the necessary transformation. However, it is early days—based on our experience, most are only at the beginning of their journey. And in addition to the pressures mentioned above, many are facing challenges in terms of funding, complexity, and talent availability. This collection of articles—gathered from our recent publishing on the theme of financial services technology—is intended to serve as a roadmap for executives tasked with ramping up technology innovation, increasing tech productivity, and modernizing their platforms. The articles are organized into three major themes: 1. Reimagine the role of technology to be a business and innovation partner 2. Reinvent technology delivery to drive a step change in productivity and speed 3. Future-proof the foundation by building flexible and secure platforms The pace of change in financial services technology—as with technology more broadly—leaves very little time for leaders to respond.
  • Dynamic Deployment of Specialized ESB Instances in the Cloud

    Dynamic Deployment of Specialized ESB Instances in the Cloud

    Institute of Architecture of Application Systems University of Stuttgart Universitätsstraße 38 D-70569 Stuttgart Master Thesis No. 3671 Dynamic Deployment of Specialized ESB instances in the Cloud Roberto Jiménez Sánchez Course of Study: Infotech (Non-Degree) Examiner: Prof. Dr. Frank Leymann Supervisors: Santiago Gómez Sáez Johannes Wettinger Commenced: May 22, 2014 Completed: November 21, 2014 CR-Classification: C.2.4 ; D.2 Abstract In the last years the interaction among heterogeneous applications within one or among mul- tiple enterprises has considerably increased. This fact has arisen several challenges related to how to enable the interaction among enterprises in an interoperable manner. Towards addressing this problem, the Enterprise Service Bus (ESB) has been proposed as an integration middleware capable of wiring all the components of an enterprise system in a transparent and interoperable manner. Enterprise Service Buses are nowadays used to transparently establish and handle interactions among the components within an application or with consumed exter- nal services. There are several ESB solutions available in the market as a result of continuously developing message-based approaches aiming at enabling interoperability among enterprise applications. However, the configuration of an ESB is typically custom, and complex. More- over, there is little support and guidance for developers related to how to efficiently customize and configure the ESB with respect to their application requirements. Consequently, this fact also increments notably the maintenance and operational costs for enterprises. Our target is mainly to simplify the configuration tasks at the same time as provisioning customized ESB instances to satisfy the application’s functional and non-functional requirements.
  • The Role of Business in Disaster Response a Business Civic Leadership Report BCLC Is an Affilliate of the U.S

    The Role of Business in Disaster Response a Business Civic Leadership Report BCLC Is an Affilliate of the U.S

    The Role of Business in Disaster Response A Business Civic Leadership Report BCLC is an affilliate of the U.S. Chamber of Commerce. The Role of Business in Disaster Response Introduction Information Technology S 2 Business Civic Leadership Center 30 Cisco Corporate Expertise in Disasters Using Expert Networking Knowledge to Assist T Communities in Crisis Resilience 32 IBM Preparedness Beyond Search & Rescue: Improving Disaster Zone’s Long-Term Prospects 6 Office Depot Talking About Preparedness: EN 34 Google Leave No Stone Unturned Google’s Crisis Response Initiative 8 Citi T 36 Microsoft Natural Disaster Financial Management: Increasing Information and Technology Capacity It’s All About Precrisis Preparation in Times of Disaster 10 Shell A Strategic Approach to Response and Recovery Insurance 40 Allstate A Promise to Our Communities Is Our Business Public-Private Partnership CON 14 Maryland Emergency Management Agency Infrastructure F Maryland Businesses Get Their Stake in 44 Degenkolb Engineers Emergency Response Degenkolb’s 70-Year Tradition of Earthquake Chasing Lessons Learned 16 Walmart Public-Private Collaboration: Six Years 46 Proteus On-Demand After Hurricane Katrina Learn From the Past, Be Involved in the Future E O 48 Project Jomo Storm of Ideas Logistics L 20 UPS We Love the Logistics of Disaster Response Debris Removal 22 FedEx 52 Caterpillar Logistics Support During Disasters: Changing Lives Through Sustainable Progress Another Day at the Office 54 Ceres Environmental TAB Helping Jefferson County Recover Food 26 Cargill An Unprecedented Crisis in the Horn of Africa Prompts an Extraordinary Response From Cargill bclc.uschamber.com 2012 • 1 INTRODUCTION Corporate Expertise in Disasters By Stephen Jordan and Gerald McSwiggan, U.S.
  • Trusted Computing Or Distributed Trust Management?

    Trusted Computing Or Distributed Trust Management?

    Trusted computing or distributed trust management? Michele Tomaiuolo Dipartimento di Ingegneria dell’Informazione Università di Parma Via Usberti, 181/A – 43100 Parma – Italy [email protected] Abstract Nowadays, in contrast with centralized or hierarchical certification authorities and directory of names, other solutions are gaining momentum. Federation of already deployed security systems is considered the key to build global security infrastructures. In this field, trust management systems can play an important role, being based on a totally distributed architecture. The idea of distributed trust management can be confronted with the concept of trusted computing. Though having a confusingly similar denomination, the different interpretation of trust in these systems drives to divergent consequences with respect to system architectures and access policies, but also to law, ethics, politics. While trusted computing systems assure copyright holders and media producers that the hosting system will respect the access restrictions they defined, trust management systems, instead, allow users to grant trust to other users or software agents for accessing local resources. Keywords Data security, Security Management, Authentication, Authorization, Intellectual Property Rights, Information Access, Digital Books, Multimedia, Web Technologies Introduction A number of architectures and systems are being proposed as a ground for improved interoperability among diverse systems, mainly exploiting the idea of service-oriented architecture. Yet, some issues remain open. In fact, composition of services requires some delegation of goals and duties among partners. But these delegations cannot come into effect, if they’re not associated with a corresponding delegation of privileges, needed to access some resources and complete delegated tasks, or achieve desired goals.
  • 14 Months to Turn $2M Into $4M with Your Help CONTENTS

    14 Months to Turn $2M Into $4M with Your Help CONTENTS

    MAGAZINE WINTER 2015 We have 14 months to turn $2M into $4M with your help CONTENTS Dean David Saunders welcomes alumni, faculty and staff to the annual Homecoming Brunch in Goodes Hall in October. ii MAGAZINE WINTERWINTER 2015 FEATURES 8 A NEW WAVE — Introducing seven new faculty members. 15 START-UPS SNAPSHOT — Alumni-led new ventures produce a treadmill desk, provide a novel income tax- preparation service and revolutionize colour 3-D printing. 18 VIVE LA RÉSISTANCE, TO CHANGE — Peter Lawton, BCom’74, uncovers a dark chapter in Parisian history. 20 BE A MATCHMAKER — Introducing a $2M gift-matching program that’s on a fixed deadline. PROFILES 22 UP AND AWAY — Inside Google’s Project Loon (“Balloon-Powered Internet for Everyone”) with Doug Wightman, BCom’04, PhD’13-Computer Science. 26 A SEAT AT THE TABLE — Brenda Trenowden, BCom’89, a 25-year international banking veteran, champions increasing the number of women on corporate boards. DEPARTMENTS 2 From the Dean 3 Inside Goodes 29 Alumni Notes 37 Alumni News MAGAZINE Queen’s School of Business’S MAGAZINE FOR ALUMNI & FRIENDS MANAGING EDITOR CONTRIBUTORS Shelley Pleiter Claire Bouvier [email protected] Yadira Gonzalez CONTRIBUTING EDITOR Andrea Gunn Amber Wallace, QSB Director of Kari Knowles Communications & External Relations Peter Lawton Tanya Ligthart DESIGN Alan Morantz ReVue Design & Communications Andrea Strike Published three times a year by Queen’s School of Business Kingston, Ontario, Canada K7L 3N6 Tel 613.533.3118 Fax 613.533.6978 Email [email protected] Web www.qsb.ca © Copyright 2015, Queen’s University Volume 55, Winter 2015 ISSN 0714798 Available by subscription and online at www.qsb.ca/magazine amont L uzy S FROM THE DEAN QSB ADVISORY Board MEMBERS Steven Albiani, BCom’03, Managing Partner, Stratum Advisory Group Inc.
  • OASIS Response to NSTC Request for Feedback on Standard Practices

    OASIS Response to NSTC Request for Feedback on Standard Practices

    OASIS RESPONSE TO NSTC REQUEST FOR FEEDBACK ON STANDARDS PRACTICES OASIS (Organization for the Advancement of Structured Information Standards) is pleased to respond to the request from the National Science and Technology Council's Sub-Committee on Standards published at 75 FR 76397 (2010), and extended by 76 FR 3877 (2011), for feedback and observations regarding the effectiveness of Federal agencies' participation in the development and implementation of standards and conformity assessment activities and programs. We have advised our own members about the Federal Register inquiry, in case they wish to respond. Of course, their opinions are their own, and this response does not represent the views of any members, but only the observations of OASIS professional staff. I. RESPONDENT'S BACKGROUND OASIS is one of the largest and oldest global open data standards consortia, founded in 1993 as SGML Open. OASIS has over 5000 active participants representing about 600 member organizations and individual members in over 80 countries. We host widely-used standards in multiple fields including • cybersecurity & access control (such as WS-Security, SAML, XACML, KMIP, DSS & XSPA) [/1], • office documents and smart semantic documents (such as OpenDocument, DITA, DocBook & CMIS) [/2], and • electronic commerce (including SOA and web services, such as BPEL, ebXML, WS-ReliableMessaging & the WS-Transaction standards) [/3] among other areas. Various specific vertical industries also fulfill their open standards requirements by initiating OASIS projects, resulting in mission-specific standards such as • UBL and Business Document Exchange (for e-procurement) [/4], • CAP and EDML (for emergency first-responder notifications) [/5], and • LegalXML (for electronic court filing data)[/6].
  • Sociotal Creating a Socially Aware Citizen-Centric Internet of Things

    Sociotal Creating a Socially Aware Citizen-Centric Internet of Things

    Ref. Ares(2017)3187879 - 26/06/2017 Specific Targeted Research Projects (STReP) SocIoTal Creating a socially aware citizen-centric Internet of Things FP7 Contract Number: 609112 WP1 – Socially-aware citizen centric architecture and community APIs Deliverable report Contractual date of delivery:31/08/2016 Actual submission date: 31/08/2016 Deliverable ID: D1.2.2 Deliverable Title: Final version of SocIoTal Architecture Responsible beneficiary: UNIS Contributing beneficiaries: UNIS, CEA, UC, CRS4, DNET, UMU Start Date of the Project: 1 September 2013 Duration: 36 Months Revision: 1 Dissemination Level: Public PROPRIETARY RIGHTS STATEMENT This document contains information, which is proprietary to the SOCIOTAL Consortium. Neither this document nor the information contained herein shall be used, duplicated or communicated by any means to any third party, in whole or in parts, except with prior written consent of the SOCIOTAL consortium. FP7 Contract Number: 609112 Deliverable report – WP1 / T1.2/D1.2.1 Document ID: D1.2.1 Document Information Document ID: D1.2.2 Version: Final 1.0 Version Date: 31 August 2016 Authors: Colin O’Reilly (UNIS), Ignacio Elicegui (UC), Carmen Lopez (UC), Luis Sanchez (UC), Jose Luis Hernández, Jorge Bernabé (UMU), Alberto Serra (CRS4), Nenad Gligoric, Srdjan Krco (DNET), Christine Hennebert (CEA), Alexandre MACABIES (CEA), Niklas Palaghias (UNIS) Security: Public Approvals Name Organization Date Visa Project Management K. MOESSNER UNIS Team Internal Reviewer Colin O’Reilly UNIS 24/08/2016 Internal Reviewer Srdjan
  • Donald F. Ferguson, Ph.D

    Donald F. Ferguson, Ph.D

    Donald F. Ferguson, Ph.D. Seeka TV (www.seekatv.com) 21 Hoyt Street 1201 Marquette Ave S., Suite 200 South Salem, NY 10590 Minneapolis, MN 55403 +1 914-548-5001 +1 914-548-4001 [email protected] [email protected] Education 1989 Ph.D., Computer Science, Columbia University. Thesis – “The Application of Microeconomics to the Design of Resource Allocation and Control Algorithms” 1987 M.Phil., Computer Science, Columbia University. 1985 M.S., Computer Science, Columbia University. 1982 B.A. Com Laude, Computer Science, Columbia University. Professional Experience Seeka TV 2016-Present Co-Founder, VP, Head of Engineering Defining and leading technical strategy, architecture, engineering/development for an interactive video/content streaming startup. The platform targets two scenarios: 1) A web channel for independent film and web series creators; 2) Corporate videos and media delivery for education, marketing, conferences, etc. Seeka TV (www.seeka.tv) is currently delivering over 50 independent, professional web series, and is in pilot phase with several enterprises for corporate education/marketing videos. The solution is completely “serverless” using Amazon Web Services and other cloud technology. Core technologies in use include AWS (Lambda Functions, SQS, SNS, RDS, API Gateway, CloudFront, S3), Neo4J, Stripe, Brightcove, MailChimp, OAuth2, Facebook and Twitter APIs. Columbia University Professor of Professional Practice 2018-Present Adjunct Professor, Dept. of Computer Science 2012-Present Full professor and member of faculty starting 2018. Teaching, research, mentoring and helping align department with industry requirements and practices. Teaching popular (80-100 students) senior/master’s level courses on advanced topics in computer science. Supervising student small team projects.
  • Global Namespace Discovery Using a XRI Root-Of-Roots Assumed by ITU-T

    Global Namespace Discovery Using a XRI Root-Of-Roots Assumed by ITU-T

    Geneva, 21 September 2007 Global Namespace Discovery using a XRI root-of-roots assumed by ITU-T Tony Rutkowski Chair, ITU-T IdM FG Requirements WG [email protected] XRI detail slides courtesy of Reed Drummond OASIS Extensible Resource Identifier (XRI) TC International http://xri.net/=drummond.reed Telecommunication Union Identity Discovery Requirements 5.3 Discovery of authoritative Identify Provider resources, services, and federations. A critical IdM challenge in the very dynamic and diverse world of network services and applications is discovering current authoritative sources for the four core IdM categories described above or the federations that are associated with enabling discovery and access of the relevant IdM resources. It is not enough for the IdM capabilities to exist, if a relying party has no means for knowing who and how to reach and interoperate with the authoritative resources for asserted identities treated in the sub-section below. Identity Discovery Provider(s) Query(ies) to discover Identity Resources Response(s) Fig. 9. Identity Management Discovery Services A very significant number of contributions and use-cases during the entire activity period of the Focus Group dealt with Discovery capabilities and associated requirements. Discovery capabilities seem to be widely recognized as one of the most significant needs and gaps – including a consensus that the challenge of providing effective Discovery capabilities are therefore an essential part of trusted Identity Management. Some federations and communities surrounding Open Identity protocols have developed partial solutions to meet discovery needs within the boundaries of their user communities. However, there are no current means for global or inter-federation discovery.