OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [ebxml-dev] Authentication/Authorization with MSH?

The CPPA team is awaiting SAML and XACML stability, and then plans to document how capabilities
and agreements for their use are to be included in CPPs, CPA templates, and CPAs. At the moment (v 2.0)
it would have to be handled as an extension. We are also interested in standardizing a way of
pointing to agreed upon credentials for use in access/authentication/authorization. We probably want these
referenced within the CPA, something in the way an XMLDsig KeyInfo can reference certificates. Since
some of these credentials need to be kept confidential, we plan to make use of xml encryption as well.
We may include this discussion in the Negotiation protocol specification currently being written, since
these details are usually settled during the ratification of a CPA agreement. ebXML Messaging could also
benefit from being a little more expansive on these issues in future versions, IMO; possibly SOAP XMLP
will establish some conventions or possibly the new WS-SEC OASIS group?  Dale Moberg
-----Original Message-----
From: Martin W Sachs [mailto:mwsachs@us.ibm.com]
Sent: Thursday, July 18, 2002 5:39 AM
To: andrzej@chaeron.com
Cc: ebxml-dev@lists.ebxml.org
Subject: Re: [ebxml-dev] Authentication/Authorization with MSH?


Do you really want to do authentication/authorization inside the MSH (as defined by the MSG spec)?. If you really mean that you want to do it in the middleware ("BSI"), then I suggest that you look at what is defined in the CPPA specification. The CPPA team has SAML support on its list for post version 2. If I remember correctly, we also have XACML on our futures list.


Martin W. Sachs
IBM T. J. Watson Research Center
P. O. B. 704
Yorktown Hts, NY 10598
914-784-7287; IBM tie line 863-7287
Notes address: Martin W Sachs/Watson/IBM
Internet address: mwsachs @ us.ibm.com
Andrzej Jan Taramina <andrzej@chaeron.com>

          Andrzej Jan Taramina <andrzej@chaeron.com>

          07/17/2002 03:49 PM
          Please respond to andrzej

To: ebxml-dev@lists.ebxml.org
Subject: [ebxml-dev] Authentication/Authorization with MSH?

Question has come up as to how best to implement/integrate
authentication/authorization functions with ebXML MSH.

The spec makes reference that authentication would be done by the communications
protocol used. (TLS or IPSEC for example). However, what if you want to
authenticate using some other technique that is independent of the comm protocol?
Any suggestions as to how this should be implemented? Would you authenticate
prior to MSH receiving the message (ie. transparent to MSH)? If the authentication
was called from the MSH instead, then would you return a technical failure or a
business failure condition if the authentication failed (the approach chosen would
determine how acks/auth failures were handled....at the message or the biz
transaction level).

Regarding authorization.....there is mention that exchange of credentials could be
accomplished using SAML (which implies that you could integrate with the Liberty
initiative). But there are no details on how best to do this.

Can anyone point me to some more detailed info, or offer some suggestions as to
how best to incorporate authentication/authorization into MSH?


Chaeron Corporation

The ebxml-dev list is sponsored by OASIS.
To subscribe or unsubscribe from this elist use the subscription
manager: <

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Search: Match: Sort by:
Words: | Help

Powered by eList eXpress LLC