OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-poc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Security Proposal

Sid wrote:

> 1)  Aside from the some in the "utilities industry", I don't know of PGP
> being used in B2B over internet infrastructure.

NAI claims there are over 7 million PGP users in the world. I can't validate
but they must know approximately how many users exist.

PGP is widely used by security organizations and several major vendors, here
are a few examples:

IBM: http://www.chips.ibm.com/services/foundry/solutions/faqs/

" Q10. Does IBM Microelectronics support encryption for transferring data?
  IBM Microelectronics SCM encourages, but does not require, customers to
encrypt their data using the PGP (Pretty Good
  Privacy) public key encryption standard. PGP is an open standard, with
clients available for PC, Macintosh, and UNIX
  IBM Microelectronics SCM will provide a public PGP key upon request for
customers who want to protect their data when they
  send it over the Internet. "

SUN: All of Sun's security bulletins are signed using PGP. Sun Security
Coordination Team's PGP key:


Here's a pointer to a PGP signed SUN security bulletin:


Microsoft: All security bulletins are signed using PGP

 Microsoft's PGP key can be obtained at:
 which states:
  "Verifying our Digital Signature
   We digitally sign all security bulletins. To verify the signature, please
   download our PGP key. The key's fingerprint
   is 5E39 0633 D6B3 9788 F776 D980 AB7A 9432. "

CISCO Systems: uses PGP to sign all their security alerts.

A text version of Cisco security notices will be clear-signed with the Cisco
PSIRT PGP key and posted to the following e-mail addresses and Usenet
first-teams@first.org (which includes the CERT/CC)
Various internal Cisco mailing lists

SANS, another well regarded security organization signs their critical
security notices with PGP, here is a quote from SANS:

  "We are signing the Consensus newsletter with PGP. The new SANS PGP key
   is posted at
    and can be accessed from the SANS Web site (http://www.sans.org)."

CERT: The Computer Emergency Response Team at CMU, a highly regarded
security watchdog organization, signs all their security related bulletins
using PGP, ref: attached CERT advisory, it states:

   "We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key "


Segments of the U.S. Energy Industry (a $500 Billion dollar a year industry
and growing)
are required by FEDERAL LAW to encrypt/sign their business data using PGP.

Enron alone has done $183 Billion dollars in E-Commerce over the Internet,
that's more
than anybody else I'm aware of!
ref: http://www.computerworld.com/cwi/story/0,1199,NAV47_STO54149,00.html


Sid, I challenge you to provide evidence similar to what
I've provided above, indicating widespread utilization/adoption of S/MIME
B2B E-commerce.

> 2)  Not a spec.

I don't understand this comment, please explain.

> 3)  Not much value in PGP support announcement.

Could you explain what you mean by this. Do you mean not much value
to Netfish? I assert that all the organizations I listed above could
potentially benefit by reusing their PGP capabilities over ebXML.

Dick Brooks
Group 8760
110 12th Street North
Birmingham, AL 35203
Fax: 205-250-8057

InsideAgent - Empowering e-commerce solutions

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Search: Match: Sort by:
Words: | Help

Powered by eList eXpress LLC