OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-bp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: issue 57 on security parameters

I see what you mean. Persistent/Transient, while not necessarily directly
technology related, certainly are related to the software stack, and we have
to decide whether that is a good thing to specify in a business process or

Here is my personal interpretaion (Chris, correct me if it is different from
yours). Persistent means "all the way into the application space", and
Transient means, "transport level" only. The business equivalent of this might
be Persistent meaning "TrustedParty to TrustedParty", vs. Transient meaning
"Firewall-to-Firewall". For instance exchange of personal health information
from a doctor to an insurance company might need to be "TrustedParty to
TrustedParty", meaning that no-one but the doctor and the claim adjustor are
allowed to see it, whereas a purchase order between two companies probably is
probably only required to be secure "Firewall-to-Firewall" (if that). 

Regardless of our decision on the boolean-vs-threeway value, we should decide
whether it makes sense to have a catch-all flag at transaction level, while
maintaining individual flags for TamperProof, Authenticated, Confidential at
the DocumentFlow level, and if so, we need to describe the override
relationship between the two.


>Are the 3 values technical values (for the benefit of the under lying
>or business values (facilitates the business semantics).
>I suspect the former may be true. What is the meaning of the values in and
>themselves. Confidential, tamperproof, and authenticated  are concepts taken
>the UN/ECE and ABA standards and are boolean in definition (Yes,No). At the
>level, the semantics are still business semantics. I think we need some
>clarity on
>the meaning of the values.
>Karsten Riemer wrote:
>> Jamie,
>> for your write-up for Tuesday, here is Chris Ferris's recommendation.
>> 1. For the three security parameters (isConfidential, isTamperProof,
>> isAuthenticated) that reside on DocumentFlow and on Attachment, change the
>> datatype from boolean to 'docSecurity', i.e. either "No", "persistent", or
>> "transient". 2. Replace attribute isSecureTransportRequired on
>> BusinessTransaction with the same triplet of attibutes in 1. above.
>> Note, if we do this, we should also change UMM accordingly.
>> Writing this, I am actually wondering about the value of being able to
>> security at the transaction level if you have it at documentFlow level.
>> Instead, it would seem a good idea to be able to override this at
>> BusinessTransactionActivity level. I won't push this, just a thought, I
>> bow to the experts. It just is an example of where parameterized overrides
>> would be a very useful generic feature.
>> -karsten
>> ------------------------------------------------------------------
>> To unsubscribe from this elist send a message with the single word
>> "unsubscribe" in the body to: ebxml-bp-request@lists.ebxml.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Search: Match: Sort by:
Words: | Help

Powered by eList eXpress LLC