ebxml-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: RE: [ebxml-dev] Authentication/Authorization with MSH?
- From: Dale Moberg <dmoberg@cyclonecommerce.com>
- To: Martin W Sachs <mwsachs@us.ibm.com>, andrzej@chaeron.com
- Date: Thu, 18 Jul 2002 07:46:44 -0700
The
CPPA team is awaiting SAML and XACML stability, and then plans to document how
capabilities
and
agreements for their use are to be included in CPPs, CPA templates, and CPAs. At
the moment (v 2.0)
it
would have to be handled as an extension. We are also interested in
standardizing a way of
pointing to agreed upon credentials for use in
access/authentication/authorization. We probably want these
referenced within the CPA, something in the way an XMLDsig KeyInfo can
reference certificates. Since
some
of these credentials need to be kept confidential, we plan to make use of
xml encryption as well.
We may
include this discussion in the Negotiation protocol specification currently
being written, since
these
details are usually settled during the ratification of a CPA agreement. ebXML
Messaging could also
benefit from being a little more expansive on these issues in future
versions, IMO; possibly SOAP XMLP
will
establish some conventions or possibly the new WS-SEC OASIS group? Dale
Moberg
Andrzej,
Do you really want to do authentication/authorization inside
the MSH (as defined by the MSG spec)?. If you really mean that you want to do it
in the middleware ("BSI"), then I suggest that you look at what is defined in
the CPPA specification. The CPPA team has SAML support on its list for post
version 2. If I remember correctly, we also have XACML on our futures
list.
Regards,
Marty
*************************************************************************************
Martin
W. Sachs
IBM T. J. Watson Research Center
P. O. B. 704
Yorktown Hts, NY
10598
914-784-7287; IBM tie line 863-7287
Notes address: Martin W
Sachs/Watson/IBM
Internet address: mwsachs @
us.ibm.com
*************************************************************************************
Andrzej Jan Taramina
<andrzej@chaeron.com>
|
|
To:
ebxml-dev@lists.ebxml.org
cc:
Subject: [ebxml-dev]
Authentication/Authorization with MSH?
|
Question
has come up as to how best to implement/integrate
authentication/authorization functions with ebXML MSH.
The spec makes
reference that authentication would be done by the communications
protocol
used. (TLS or IPSEC for example). However, what if you want to
authenticate
using some other technique that is independent of the comm protocol?
Any
suggestions as to how this should be implemented? Would you authenticate
prior to MSH receiving the message (ie. transparent to MSH)? If the
authentication
was called from the MSH instead, then would you return a
technical failure or a
business failure condition if the authentication
failed (the approach chosen would
determine how acks/auth failures were
handled....at the message or the biz
transaction level).
Regarding
authorization.....there is mention that exchange of credentials could be
accomplished using SAML (which implies that you could integrate with the
Liberty
initiative). But there are no details on how best to do
this.
Can anyone point me to some more detailed info, or offer some
suggestions as to
how best to incorporate authentication/authorization into
MSH?
Thanks!
...Andrzej
Chaeron Corporation
http://www.chaeron.com
----------------------------------------------------------------
The
ebxml-dev list is sponsored by OASIS.
To subscribe or unsubscribe from this
elist use the subscription
manager: <http://lists.ebxml.org/ob/adm.pl>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC