OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-regrep message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: ebXML Registry Security Proposal


	Good work. Thanks for working this over and presenting to the security
team. Here are some of my thoughts and ideas.

	1.	I assume we expect the full certificate chain so that we can validate CA
hierarchy. What is the plan for the TRP ?
	2.	If not we will need to keep a CA list and add to it as required. This is
what browsers do. They come with a list and one can add CAs as required.
Again, how does TRP plan to handle this ?
	3.	For expired certificates, we will need an "expired" state for the
	4.	I assume for Phase 1, we will  maintain the security info model as shown
in Page 14, but will not be accessible from outside thru APIs.
		a)	We will have three roles : Owner, RegistryAdmin and Guest.
		b)	Owner and RegistryAdmin has permission to all methods (*)
		c)	Guest has the getxxxx permissions
		d)	We create these permission objects automatically when content is
		e)	This scheme would make it easy (and compatible) when Phase II comes,
with use manageable roles,permissions et al
	5.	Now that the security team has seen our ideas, the next plan for us is
to complete the security document as follows:
		a)	Use cases for all the scenarios in 4) above
		b)	Refine the obj model
		c)	Ongoing task - incorporate ideas, suggestions et al. Reflect the TRP
security as required.
		d)	And .... the fun part .... implement the security for the POC (Of
course, I volunteer for that ;-))
		e)	I will try to get the first cut by COB Sunday.


	Just as a thought, for the next POC we will need a CA as well ! Till now we
could get by with a DNS server ! And if we want to validate the certificate
from verisign et al, we will need internet connection too !

-----Original Message-----
From: Farrukh Najmi - JavaSoft East [mailto:Farrukh.Najmi@east.sun.com]
Sent: Wednesday, December 06, 2000 8:26 PM
To: Farrukh.Najmi@east.sun.com; ebxml-regrep@lists.ebxml.org
Subject: Re: ebXML Registry Security Proposal

Attachment added this time.

<Farrukh.Najmi@east.sun.com> wrote:
>Date: Wed, 06 Dec 2000 23:21:24 -0500
>Attached is a slide presentation that reflects the current state of the
>proposal for ebXML Registry security. It reflects joint work between
>Steve Hanna and myself.
>This proposal was presented to the ebXML Security
>team's f2f meeting today. The security team felt that the proposal was
>close to what is needed for a minimal yet effective Release 1 solution and
>one that fits well with teh works of the security team.
>On the issue of whether we can only rely on Certificate based
>and not do userid/password based authentication the feelking was that it
>a good idea because it provide a more secure solution in which content
>be traced to its submitter more reliably. The model adds small cost to SO
>(less than $50 per year), and provides more trustworthy content to the
>of users of the registry who are simply browsing and retrieving content. So
>from a security standpoint it is a good compromise. However, it was
>that the Registry team validate that it is OK to not do userid/password.
>should at the very least push userid/password to pahse 2 or better just
>it out all together.
>Please send your thoughts as we will need to add this proposal to the spec
>next few weeks.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Search: Match: Sort by:
Words: | Help

Powered by eList eXpress LLC