RE: [ebxml-dev] Hermes1: Howto configure Persistent Confidentiality?

["David RR Webber \(XML\)" <david@drrw.info>]

Pim,

 

Hermes 1 is not intended to be a clearing house center style hub.  It's for use by spokes in a hub and spoke style exchanges - where the hub would be expected to perform the more extended operations. 

 

You can also happily use Hermes as a hub if you are the end point hub - or the information is not confidential. We are using Hermes to route to Hermes and then another final Hermes destination.  That is all controlled with SSL and certificates and CPA configuration.  I agree though that if you are connecting multiple hubs together with extended routing needs - then you need one of the commercial products designed to do all that.  You can still use Hermes at the spokes - but then the hub would need to do the extended handling for you.

 

Horses for courses as we say!

 

DW

"The way to be is to do" - Confucius (551-472 B.C.)

-------- Original Message --------
Subject: RE: [ebxml-dev] Hermes1: Howto configure Persistent
Confidentiality?
From: "Pim van der Eijk" <lists@sonnenglanz.net>
Date: Sun, December 17, 2006 4:20 am
To: <ebxml-dev@lists.ebxml.org>

XML encryption is relevant when using the multi-hop feature of ebMS.  SSL only secures the data in transit between hops. The messages would (temporarily) be in clear text at the store-and-forward intermediary.  In some environments, this is seen as a risk (when is the message store purged, who has read permission for the file system storing these messages, are they security cleared..).

 

The ebMS2 spec says that "The XML Encryption standard shall be the default encryption method when XML Encryption has achieved W3C Recommendation status",

which was on 10 december 2002. There are products that do support XML Encryption with ebMS2 / HTTP. It's unfortunate Hermes doesn't appear to be one of them.

 

Pim van der Eijk

---

From: Gait Boxman [mailto:gait.boxman@tie.nl]
Sent: 15 December 2006 08:38
To: ebxml-dev@lists.ebxml.org
Subject: Re: [ebxml-dev] Hermes1: Howto configure Persistent Confidentiality?

Hi Albert,

depends on what you mean by that exactly.

If you ask: will Hermes do XML Encryption for me and how do I turn that on? No, Hermes implements ebMS 2.0, and at the time of that spec, XML Enc was not ready yet.
If you ask will Hermes send XML Encrypted payloads? Yes, Hermes will send any payload, just make sure it's identified correctly, see David's response as well.
If you ask can I build a Hermes client that will do this transparently from the rest of my environment? Depends on your programming skills, but I'd say it can be done. However, that would defeat the purpose of the encryption. All traffic of ebMS can be SSL encrypted (for HTTP) or S/MIME encrypted (for mail transfer), and the client/server traffic inside Hermes can run over  HTTPS. If you want *persistent* encryption, you need Hermes to deliver the payload encrypted anyway..
I believe ebMS 3.0 introduces XML Enc as a replacement/alternative for S/MIME mail encryption, but that won't help you for your persistent requirement.

Out of curiosity, why do you need persistent encryption, is the receiving Hermes client system not trustworthy?

kind regards, Gait Boxman.

Kappe, Albert wrote:

Hello,

Does Hermes1 support Persistent Confidentiality for ebXML Payload Containers using XML Encryption?

If yes, I could appreciate any help on implementing XML Encryption for Hermes1.

Regards, Albert Kappe

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.