Re: Security Proposal

[Matthew MacKenzie <matt@xmlglobal.com>]

Guys,

Let's try not to lose sight of the point.  Some will use PGP in 
implementation, some will use certificates.  PGP provides great security if
used properly, but it does not validate the identity of the user, but 
that is really irrelevant here.  What ebXML needs to do is provide a 
generic way to specify which encryption technique is in use for a 
particlar payload.  I propose that this be done by an added MIME header 
in the payload, something like Encryption-Type.  Then with that, ebXML 
can have a couple suggested encryption methods, perhaps OpenPGP, and 
PKI, and others can be employed within the same framework if needed.  
EbXML should not attempt to lock in a particular encryption method.

Cheers,

Matt

Dick Brooks wrote:

> Sid wrote:
> 
>> 1)  Aside from the some in the "utilities industry", I don't know of PGP
>> being used in B2B over internet infrastructure.
>> 
> 
> NAI claims there are over 7 million PGP users in the world. I can't validate
> this
> but they must know approximately how many users exist.
> 
> PGP is widely used by security organizations and several major vendors, here
> are a few examples:
> 
> IBM: http://www.chips.ibm.com/services/foundry/solutions/faqs/
> 
> " Q10. Does IBM Microelectronics support encryption for transferring data?
>   IBM Microelectronics SCM encourages, but does not require, customers to
> encrypt their data using the PGP (Pretty Good
>   Privacy) public key encryption standard. PGP is an open standard, with
> clients available for PC, Macintosh, and UNIX
>   workstations.
>   IBM Microelectronics SCM will provide a public PGP key upon request for
> customers who want to protect their data when they
>   send it over the Internet. "
> 
> ----------
> SUN: All of Sun's security bulletins are signed using PGP. Sun Security
> Coordination Team's PGP key:
> 
> http://sunsolve.sun.com/pgpkey.txt
> 
> Here's a pointer to a PGP signed SUN security bulletin:
> 
> http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/199&typ
> e=0&nav=sec.sba
> 
> -----------
> Microsoft: All security bulletins are signed using PGP
> 
>  Microsoft's PGP key can be obtained at:
>  http://www.microsoft.com/technet/security/notify.asp
>  which states:
>   "Verifying our Digital Signature
>    We digitally sign all security bulletins. To verify the signature, please
>    download our PGP key. The key's fingerprint
>    is 5E39 0633 D6B3 9788 F776 D980 AB7A 9432. "
> 
> -----------
> CISCO Systems: uses PGP to sign all their security alerts.
> 
> A text version of Cisco security notices will be clear-signed with the Cisco
> PSIRT PGP key and posted to the following e-mail addresses and Usenet
> newsgroups:
> cust-security-announce@cisco.com
> bugtraq@securityfocus.com
> firewalls@lists.gnac.net
> first-teams@first.org (which includes the CERT/CC)
> cisco@spot.colorado.edu
> cisco-nsp@puck.nether.net
> comp.dcom.sys.cisco
> Various internal Cisco mailing lists
> 
> ------------
> SANS, another well regarded security organization signs their critical
> security notices with PGP, here is a quote from SANS:
> 
>   "We are signing the Consensus newsletter with PGP. The new SANS PGP key
>    is posted at
>    (http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46)
>     and can be accessed from the SANS Web site (http://www.sans.org)."
> 
> ------------
> CERT: The Computer Emergency Response Team at CMU, a highly regarded
> security watchdog organization, signs all their security related bulletins
> using PGP, ref: attached CERT advisory, it states:
> 
>    "We strongly urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
> 
>    http://www.cert.org/CERT_PGP.key "
> 
> ------------
> 
> Segments of the U.S. Energy Industry (a $500 Billion dollar a year industry
> and growing)
> are required by FEDERAL LAW to encrypt/sign their business data using PGP.
> 
> Enron alone has done $183 Billion dollars in E-Commerce over the Internet,
> that's more
> than anybody else I'm aware of!
> ref: http://www.computerworld.com/cwi/story/0,1199,NAV47_STO54149,00.html
> 
> ------------
> 
> Sid, I challenge you to provide evidence similar to what
> I've provided above, indicating widespread utilization/adoption of S/MIME
> for
> B2B E-commerce.
> 
>> 2)  Not a spec.
>> 
> 
> I don't understand this comment, please explain.
> 
> 
>> 3)  Not much value in PGP support announcement.
>> 
>> 
> 
> Could you explain what you mean by this. Do you mean not much value
> to Netfish? I assert that all the organizations I listed above could
> potentially benefit by reusing their PGP capabilities over ebXML.
> 
> 
> Dick Brooks
> Group 8760
> 110 12th Street North
> Birmingham, AL 35203
> dick@8760.com
> 205-250-8053
> Fax: 205-250-8057
> http://www.8760.com/
> 
> InsideAgent - Empowering e-commerce solutions
> 
> 
> 
>