Wikipedia - Benutzerbeiträge [de]

Tatreez

2024-03-19T20:03:46Z

206.169.134.5:

{{Short description|Traditional Palestinian embroidery}}
'''Tatreez''' ([[Arabic]]: '''تطريز)''' is a form of traditional [[Palestinians|Palestinian]] [[embroidery]].<ref>{{Cite book |last1=Ghnaim |first1=Wafa |title=Tatreez & tea: embroidery and storytelling in the Palestinian diaspora |last2=Ghnaim |first2=Safa |last3=Abbasi-Ghnaim |first3=Feryal |date=2018 |publisher=Self-published by Wafa Ghnaim |isbn=978-1-9869-0715-6 |edition=2. Auflage |location=Brooklyn, NY}}</ref> Tatreez is commonly used on garments and includes a variety of symbols including birds, trees and flowers.<ref>{{Cite news |last=Abdulrahim |first=Raja |date=September 9, 2023 |title=The Threads of Identity in a Palestinian Craft |work=[[The New York Times]] |url=https://www.nytimes.com/2023/09/09/world/middleeast/palestinian-embroidery-indigenous-crafts.html |access-date=November 8, 2023}}</ref> The craft was originally practiced in rural areas of Palestine, but is now common across the [[Palestinian diaspora]]. In 2021 the art of embroidery in Palestine was recognized by [[UNESCO]] as an important [[intangible cultural heritage]].<ref>{{Cite web |title=UNESCO - The art of embroidery in Palestine, practices, skills, knowledge and rituals |url=https://ich.unesco.org/en/RL/the-art-of-embroidery-in-palestine-practices-skills-knowledge-and-rituals-01722 |access-date=2023-11-08 |website=ich.unesco.org |language=en}}</ref><ref>{{Cite web |author=Al Jazeera Staff |title=Palestinian embroidery added to UNESCO cultural heritage list |url=https://www.aljazeera.com/news/2021/12/16/palestinian-embroidery-added-to-unesco-cultural-heritage-list |access-date=2023-11-08 |website=Al Jazeera |language=en}}</ref>

Historically, each village in Palestine had their own tatreez patterns. The different styles of tatreez have become less distinct and have continued to evolve with the diaspora.<ref>{{Cite web |date=2021-06-01 |title=Wafa Ghnaim Uses the Traditional Craft of Tatreez to Preserve and Share Palestinian History |url=https://www.vogue.com/article/tatreez |access-date=2023-11-10 |website=Vogue |language=en-US}}</ref>
[[File:Embroidery from Beersheba Dress (Palestinian Thobe) (2).jpg|thumb|Embroidery from Beersheba Dress (Palestinian thobe) early in 20 century. The red embroidery in Beersheba was worn by married women while the blue by unmarried women/widow.]]

== See also ==

* [[File:Ramallah Dress (Palestinian Thobe).jpg|thumb|Village woman's dress (thobe) from Ramallah,19th century.]][[Palestinian handicrafts]]
* [[Palestinian traditional costumes]]

== References ==
<references />

{{Portal|Textile arts}}
[[Category:Palestinian handicrafts]]
[[Category:History of Palestine (region)]]
[[Category:Embroidery]]
[[Category:Palestinian inventions]]
[[Category:National symbols of the State of Palestine]]

{{Decorative-art-stub}}
[[Category:Textile design]]

Taṭrīz

2024-03-19T20:03:46Z

206.169.134.5:

Online Certificate Status Protocol stapling

2015-06-08T16:41:23Z

206.169.134.5: /* Specification */ Cleaned up grammar and removed broken link.

'''OCSP stapling''', formally known as the TLS '''Certificate Status Request''' extension, is an alternative approach to the [[Online Certificate Status Protocol]] (OCSP) for checking the revocation status of [[X.509]] [[digital certificate]]s.<ref name="IETF-TLS-Extensions-Definitions-RFC6066">{{cite web | url=https://tools.ietf.org/html/rfc6066#section-8 | title=Transport Layer Security (TLS) Extensions: Extension Definitions: Certificate Status Request | publisher=Internet Engineering Task Force (IETF) | date=January 2011 | accessdate=March 2, 2015 | author=Eastlake, D.}}</ref> It allows the presenter of a certificate to bear the resource cost involved in providing OCSP responses by appending ("stapling") a [[timestamp|time-stamped]] OCSP response [[cryptographic signature|signed]] by the CA to the initial [[Transport_Layer_Security#TLS_handshake|TLS Handshake]], eliminating the need for clients to contact the CA.<ref name="CloudFlare-OCSP-Stapling-SSL-Faster">{{cite web | url=https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ | title=OCSP Stapling: How CloudFlare Just Made SSL 30% Faster | publisher=CloudFlare, Inc. | date=October 29, 2012 | accessdate=March 2, 2015 | author=Prince, Matthew}}</ref><ref name="Gibson-OCSP-Must-Staple">{{cite web | url=https://www.grc.com/revocation/ocsp-must-staple.htm | title=Security Certificate Revocation Awareness: The case for “OCSP Must-Staple” | publisher=Gibson Research Corporation | accessdate=March 2, 2015 | author=Gibson, Steve}}</ref>

== Motivation ==

OCSP stapling addresses most of the issues with the original OCSP implementation.<ref name="Gibson-OCSP-Must-Staple" />

The original [[OCSP]] implementation can introduce a significant cost for the certificate authorities (CA) because it requires them to provide responses to every client of a given certificate in real time. For example, when a certificate is issued to a high traffic website, the servers of CAs are likely to be hit by enormous volumes of OCSP requests querying the validity of the certificate.<ref name="Digital-Ocean-Tutorial-OCSP-Stapling">{{cite web | url=https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx | title=How To Configure OCSP Stapling on Apache and Nginx | publisher=Digital Ocean, Inc. | work=Community Tutorials | date=June 12, 2014 | accessdate=March 2, 2015 | author=A., Jesin}}</ref>

OCSP checking potentially impairs users' privacy and slows down browsing, since it requires the client to contact a third party (the CA) to confirm the validity of each certificate that it encounters.<ref name="Digital-Ocean-Tutorial-OCSP-Stapling" />

Moreover, if the client fails to connect to the CA for an OCSP response, then it is forced to decide between two options, neither of which are desirable. The client may either choose to continue the connection anyways, defeating the purpose of OCSP revocation checking, or it may choose to terminate the connection based on the assumption that there is an attack, which decreases usability and could result in excessive false warnings and blocks.<ref name="Mozilla-OCSP-Stapling-Firefox">{{cite web | url=https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ | title=OCSP Stapling in Firefox | publisher=Mozilla Foundation | work=Mozilla Security Blog | date=July 29, 2013 | accessdate=March 2, 2015 | author=Keeler, David}}</ref>

== Solution ==
'''OCSP stapling''' resolves both problems in a fashion reminiscent of the [[Kerberos (protocol)|Kerberos Ticket]]. In a stapling scenario, the certificate holder queries the OCSP server themselves at regular intervals, obtaining a [[cryptographic signature|signed]] [[timestamp|time-stamped]] OCSP response. When the site's visitors attempt to connect to the site, this response is included ("stapled") with the [[Transport Layer Security|TLS/SSL Handshake]] via the '''Certificate Status Request''' extension response (note: the TLS client must explicitly include a '''Certificate Status Request''' extension in its '''ClientHello''' TLS/SSL handshake message).<ref name="GlobalSign-OCSP-Stapling">{{cite web | url=https://support.globalsign.com/customer/portal/articles/1618853-ocsp-stapling | title=OCSP Stapling | publisher=GMO GlobalSign Inc. | work=GlobalSign Support | date=August 1, 2014 | accessdate=March 2, 2015}}</ref> While it may appear that allowing the site operator to control verification responses would allow a fraudulent site to issue false verification for a revoked certificate, the stapled responses can't be forged as they need to be directly signed by the [[certificate authority]], not the server.<ref name="Gibson-OCSP-Must-Staple" /> If the client does not receive a stapled response, it will just contact the OCSP server by itself.<ref name="Mozilla-OCSP-Stapling-Firefox" /> However, if the client receives an invalid stapled response, it will abort the connection.<ref name="IETF-TLS-Extensions-Definitions-RFC6066" /> The only increased risk of OCSP stapling is that the notification of revocation for a certificate may be delayed until the last-signed OCSP response expires.

As a result, clients continue to have verifiable assurance from the certificate authority that the certificate is presently valid (or was quite recently), but no longer need to individually contact the OCSP server. This means that the brunt of the resource burden is now placed back on the certificate holder. It also means that the client software no longer needs to disclose users' browsing habits to any third party.<ref name="Digital-Ocean-Tutorial-OCSP-Stapling" />

Overall performance is also improved: When the client fetches the OCSP response directly from the CA, it usually involves the lookup of the domain name of the CA's OCSP server in the DNS as well as establishing a connection to the OCSP server. When OCSP stapling is used, the certificate status information is delivered to the client through an already established channel, reducing overhead and improving performance.<ref name="CloudFlare-OCSP-Stapling-SSL-Faster" />

== Specification ==
The TLS '''Certificate Status Request''' extension (colloquially known as '''OCSP stapling''') is specified in RFC 6066, Section 8.

RFC 6961 defines '''Multiple Certificate Status Request''' extension, which allows a server to send multiple OCSP responses in the TLS handshake.

A draft proposal for an X509v3 extension field, which expired in April 2013, specified that a compliant server presenting a certificate carrying the extension must return a valid OCSP token in its response if the status_request extension is specified in the TLS client hello.<ref>P. Hallam-Baker, [https://tools.ietf.org/html/draft-hallambaker-muststaple-00 X.509v3 Extension: OCSP Stapling Required]</ref> The current version of the proposal has been extended to support additional TLS extensions.<ref>P. Hallam-Baker [https://tools.ietf.org/html/draft-hallambaker-tlsfeature-05 X.509v3 TLS Feature Extension draft-hallambaker-tlsfeature-05]</ref> TLS developer Adam Langley discussed the extension in an April 2014 article following the repair of the [[Heartbleed]] OpenSSL bug.<ref>A. Langley, [https://www.imperialviolet.org/2014/04/19/revchecking.html No, don't enable revocation checking], April 19, 2014.</ref>

== Deployment ==
OCSP stapling has not seen broad deployment to date, however this is changing. The [[OpenSSL]] project included support in their 0.9.8g release with the assistance of a grant from the [[Mozilla Foundation]].

[[Apache HTTP Server]] supports OCSP stapling since version 2.3.3,<ref>[https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslusestapling Apache HTTP Server mod_ssl documentation - SSLUseStapling directive]</ref> the [[nginx]] web server since version 1.3.7,<ref>[http://mailman.nginx.org/pipermail/nginx-announce/2012/000095.html nginx-announce mailing list - nginx-1.3.7]</ref> [[LiteSpeed Web Server]] since version 4.2.4,<ref>[http://www.litespeedtech.com/products/litespeed-web-server/release-log Release Log - Litespeed Tech]. Retrieved 2014-02-07,</ref> Microsoft's [[Internet Information Services|IIS]] since [[Windows Server 2008]],<ref>{{cite web|last=Duncan|first=Robert|title=Microsoft Achieves World Domination (in OCSP Stapling)|url=http://news.netcraft.com/archives/2013/07/19/microsoft-achieves-world-domination-in-ocsp-stapling.html|publisher=Netcraft Ltd|accessdate=28 April 2014}}</ref> [[HAProxy]] since version 1.5.0,<ref>[http://www.haproxy.org/ HAProxy website]</ref> and [[F5 Networks]] BIG-IP since version 11.6.0.<ref>[https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-6-0.html Release Note: BIG-IP LTM and TMOS 11.6.0]</ref>

On the browser side, OCSP stapling was implemented in [[Firefox]] 26,<ref name="Mozilla-OCSP-Stapling-Firefox" /><ref>[[mozillawiki:CA:ImprovingRevocation#OCSP Stapling|Improving Revocation - MozillaWiki]], retrieved 2014-04-28</ref> in [[Internet Explorer]] since [[Windows Vista]],<ref>{{cite web|title=How Certificate Revocation Works|url=http://technet.microsoft.com/en-us/library/ee619754%28WS.10%29.aspx|work=TechNet|publisher=Microsoft|date=16 March 2012|accessdate=28 April 2014}}</ref> and Google Chrome in Linux, [[Chrome OS]], and Windows since Vista.<ref>{{cite web|title=Issue 361820: Check For Server Certificate Revocation checkbox is confusing|url=https://code.google.com/p/chromium/issues/detail?id=361820#c7|work=Google Code|publisher=Google|date=10 April 2014}}</ref>

For SMTP the [[Exim]] [[message transfer agent]] supports OCSP stapling in both
client <ref>[http://exim.org/exim-html-4.85/doc/html/spec_html/ch-the_smtp_transport.html The smtp transport], retrieved 2015-01-24</ref>
and server <ref>[http://exim.org/exim-html-4.85/doc/html/spec_html/ch-main_configuration.html#SECTalomo Main configuration], retrieved 2015-01-24</ref> modes.

== Limitations ==

OCSP stapling is designed to reduce the cost of an OCSP validation---both for the client and the OCSP responder---especially for large sites serving many simultaneous users. However, OCSP stapling supports only one OCSP response at a time, which is insufficient for certificate chains with intermediate CA certs.<ref>[https://bugzilla.mozilla.org/show_bug.cgi?id=360420#c10 Mozilla NSS Bug 360420], Comment by Adam Langley</ref><ref>[https://bugzilla.mozilla.org/show_bug.cgi?id=611836 Mozilla NSS Bug 611836 - Implement multiple OCSP stapling extension]</ref>

This limitation has been addressed by Multiple Certificate Status Request Extension, specified in RFC 6961. It adds the support for sending multiple OCSP responses.<ref>{{cite web | url=https://tools.ietf.org/html/rfc6961 | title=The Transport Layer Security (TLS) Multiple Certificate Status Request Extension | publisher=[[Internet Engineering Task Force]] | date=June 2013 | accessdate=31 October 2014 | author=Pettersen, Yngve N.}}</ref>

== References ==
<references/>

{{SSL/TLS}}

[[Category:Cryptographic protocols]]
[[Category:Internet Standards]]
[[Category:Internet protocols]]
[[Category:Transport Layer Security]]