OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-poc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: Security Proposal

>> If the POC used PGP there would be no need for a CA. The POC participants
>> would simply exchange public keys (which also cost $0, as compared to PKI
>> certificates). Would POC implementers be interested in using PGP
I would like to correct the above statement about PKI certs costing 
money.  It is a trivial operation to set up our own CA, in fact, I have 
done it in 10 minutes using open source software.  (see 
www.openssl.org).  What costs is to have a company such as Verisign 
vouch for your certificate, the whole trust issue.  We can circumvent 
the trust issue by defining trust ourselves.

Using PGP would be the bottom of the barrel solution, and I am not so 
sure what it would prove to anybody who is in the know.  Should the POC 
only speak to people who do not know what they are watching exactly?  
Making the wrong choice here could spawn more of those "ebxml is lame" 
quotes in prominent media.  We might just as well Base64 encode the 
payloads and declare it to be encrypted!

** Should this group choose to choose certificate based encryption, 
XMLGLobal will form a CA and sign participant signatures so that they 
are  recognized by the CA for the purposes of the POC in Vancouver.

If PGP is the choice, there is an open source alternative available at 
www.gnupg.org.  GnuPG conforms to RFC2440.


Matthew MacKenzie

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Search: Match: Sort by:
Words: | Help

Powered by eList eXpress LLC