On page 58 of RFC 4871, there is an informative reference to [BONEH03], "Proc. 12th USENIX Security Symposium, "Remote Timing Attacks are Practical", 2003. I'm wondering: What does BONE mean?
I know RFC means "Request For Comments", FIPS means "Federal Information Processing Standards Publication", and ITU means "International Telecommunication Union". So, I'm guessing BONE has a meaning along the same lines, but I have not been able to figure it out after several internet searches.
BONEH refers to Dan Boneh, one of the authors of the "Remote timing attacks are practical" paper that RFC 4871 makes reference to.
Related
If the question doesn't belong on stackoverflow, sorry for the noise. I couldn't find a better suiting site within stackexchange.
Question
There are definitions of:
Selective Forwarding Middlebox (abbreviated SFM) defined in RFC 7667 Section 3.7
Selective Forwarding Unit (abbreviated SFU) defined in WebRTC Glossary
What is the difference of these things? Are they essentially the same?
They are the same. The usage of SFU in a WebRTC context predates RFC 7667 and is hence a much more commonly used term (ironically the RFC itself still mentions 'SFU' in one place without defining the term).
See also this commit which does a simple replace of SFU with SFM.
I'm developping an open source OTA update system for a few MCUs of a certain project. I wonder if there is some "standard" protocol for CAN-bus based bootloaders. Everything I saw online and in Application Notes from the chip manufacturers seem to be using their own brand of communication and thus their own specialized upload software too (mainly for demonstration for ANs).
My question is, am I missing something? Is there some standard way of doing this I'd rather adhere to, or should I just roll my own like they do and call it a day?
Features I'm interested in for the protocol side besides the obvious ones: checksumming, digital signatures, authenticated encryption.
Based on your tag, despite I do not see this from your question, I assume for now that you want to develop a boot-loader for automotive ECUs, which have a CAN connection.
The relevant protocols, which provide the services, are ISO 14229-3 or SAE J1939/73, with the first one much more common to my experience.
For development purposes, also ASAM MCD-1 XCP has support for that.
However, these are just the communication services and does not include usual usage patterns, which differ a lot across the OEMs.
For security, the German OEMs put a document together called "HIS Security. Module Specification", which I unfortunately did not find any more on the web.
They also have a blueprint for the design of a boot-loader.
However, this is anyway somewhat outdated, as boot-loaders today often are at least partially based on AUTOSAR, like the applications.
Last from them, you could also get a document partially specifying how the services above are used for flashing an ECU.
If you need further input, feel free to ask.
However, you will need yourself access to the non-free industry standards and recommendations.
Let's say i code a program under an Open Source license like the GPL which uses strong cryptography in a country which has no restrictions about doing so, and no restrictions in making the software publicly available, like hosting on a hosting provider like github for example.
As of this post github stores all or part of the data it is hosting in several datacenters located on the northern american continent. I have read software incorporating strong cryptography falls under a special USA law about ammunition and as i know even written stuff about implementation of strong cryptography is prohibited to export.
So when pushing my local git repo to an account on github.com, does legal issues arise ? If so, what are good alternatives ?
No, the ammo law no longer applies. There is no restriction.
See, Bernstein v. United States. A a set of court cases brought by Daniel J. Bernstein challenging restrictions on the export of cryptography from the United States.
Also DJB created the delightful curve25519 and it's twisted Edwards variant Ed25519.
I'm currently designing a new enterprise system. The system's purpose is to track, display, and notify employees of customer's interactions (i.e. events) with the company. Using an event source pattern to keep a ledger of all the customer interactions/events being collected seems like a very good fit, since all of our additional domain objects are derived from the stream of events. However, I came across an article saying that a whole-system based off of event sourcing is an anti-pattern. Why would this be?
https://www.infoq.com/news/2016/04/event-sourcing-anti-pattern
The article is indeed summarises the Greg's talk "A Decade of DDD, CQRS, Event Sourcing" at DDD Europe 2016.
I personally dislike the title of this summary since this is definitely not the point of Greg's talk. Basically, as usual, it depends.
When Greg talks about the system, he means the whole thing. This thing, in DDD terms, has a context map, with multiple bounded contexts in place. Usually, on this context map you can identify subdomains, where one or more can be in addition identified as core domain(s).
When you have your core domain - there will be a good fit for advanced techniques, would this be more traditional DDD tactical patterns like aggregates, or "fancier" stuff like Event-Sourcing. The implementation indeed need to be based on the context needs.
From what you describe, you have a good fit for Event-Sourcing. But you might think about other parts of your system, for example, customer/contact management and employee management. These details should come from somewhere. May be these are CRUD candidates? So if your core domain in this case is to track interactions between employees and customers, some sort of CRM, you can decide to build that part using Event-Sourcing and other parts of your system using less advanced techniques.
Remember putting all parts on the context maps anyway, including external systems, then you will see that the system word means in the article and the talk.
The article cites a talk by Greg Young. The relevant section is viewable here.
Young explains that CRUD hides "all kinds of crazy use cases", and gives correcting typos as an example.
He also points out that analysis can be more expensive in an event-sourced system.
In general, having immutable events as the source of truth for a given part of a system, separated from read models, carries costs and should not be adopted blindly.
Young suggests that "something more like event-driven" would be a top-level architecture rather than CQRS/event sourcing.
I'm curious to know some more details about the various SQL standard's, i.e. SQL-92, SQL:99, SQL:2003, SQL:2008 etc. There is a short and useful overview on Wikipedia, with links to very expensive documents. Why are those documents not open to public? Can I find some open and free information?
Please, don't post links you found from Google. I'm interested in somewhat authoritative documentation only.
Quoting from one of my web sites:
We all love open source software. Wouldn’t it be great if
international standard documents such as the SQL standard would be
open too?
As a matter of fact: they are!
However, they are not free—just public. Very much like open source
software is not necessarily free. Too often, we neglect these
differences. Just because we have to pay for the standard doesn't mean
it is secret.
A download of the most relevant part of the SQL standard—part 2—is
available for USD 60 at ANSI. A CD with all parts on it can be bought
from ISO for CHF 352. Not free, but affordable.
You mentioned in some comments that you are mostly interested in part 2, so spending USD 60 might be your best option.
If you just need to know about the syntax up to 2003, there are two great free resources:
BNF grammar of SQL-92, SQL:1999 and SQL:2003: http://www.savage.net.au/SQL/
Online validator for SQL:1999: https://developer.mimer.com/services/sql-validator-99/
Finally, the complete text of “SQL-99 Complete, Really” is available at the MariaDB knowledge base. However, this book was written in 1999 when no database actually supported the described features. Keep that in mind when using this resource.
Other answers also mentioned "free" copies of the standards available on the web. Yes there are—those are mostly draft versions. I can't tell which of them are legal, so I rather not link them.
Finally a little self ad: I've just launched http://modern-sql.com/ to explain the standard in an easily accessible way to developers. Note that the actual standards text is written like laws are written :) Depending on your background, that might anyway not what you want.
The Postgresql Developer FAQ maintains links to each of them:
http://wiki.postgresql.org/wiki/Developer_FAQ#Where_can_I_get_a_copy_of_the_SQL_standards.3F
There are some hyperlinked versions of 92, 99 and 2003 here
However, I've never been able to use them effectively (read: I gave up).
This 92 text is useful (and is quoted here on SO several times)
ISO/IEC 9075-1:2011 -- google that.
Actually, digging around I found
http://www.incits.org/standards-information/
and it has freely availble section that clicks to something that redirects to here:
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
And finally the standards.
You have to accept a license agreement to download a pdf.
However, from what I have read in my pursuit - the RDMS well the 'RD' part is going the way of the dinosaur.. If you are building something new (therefore want the new standards) you may want to reconsider all options.
You don't have to pay for all of the standards. SQL-92 is freely available, for instance.