OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ebxml-regrep message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: ebXML Registry Security Proposal


FN,

	Good work. Thanks for working this over and presenting to the security
team. Here are some of my thoughts and ideas.

	1.	I assume we expect the full certificate chain so that we can validate CA
hierarchy. What is the plan for the TRP ?
	2.	If not we will need to keep a CA list and add to it as required. This is
what browsers do. They come with a list and one can add CAs as required.
Again, how does TRP plan to handle this ?
	3.	For expired certificates, we will need an "expired" state for the
content.
	4.	I assume for Phase 1, we will  maintain the security info model as shown
in Page 14, but will not be accessible from outside thru APIs.
		a)	We will have three roles : Owner, RegistryAdmin and Guest.
		b)	Owner and RegistryAdmin has permission to all methods (*)
		c)	Guest has the getxxxx permissions
		d)	We create these permission objects automatically when content is
submitted
		e)	This scheme would make it easy (and compatible) when Phase II comes,
with use manageable roles,permissions et al
	5.	Now that the security team has seen our ideas, the next plan for us is
to complete the security document as follows:
		a)	Use cases for all the scenarios in 4) above
		b)	Refine the obj model
		c)	Ongoing task - incorporate ideas, suggestions et al. Reflect the TRP
security as required.
		d)	And .... the fun part .... implement the security for the POC (Of
course, I volunteer for that ;-))
		e)	I will try to get the first cut by COB Sunday.

	cheers

	Just as a thought, for the next POC we will need a CA as well ! Till now we
could get by with a DNS server ! And if we want to validate the certificate
from verisign et al, we will need internet connection too !


-----Original Message-----
From: Farrukh Najmi - JavaSoft East [mailto:Farrukh.Najmi@east.sun.com]
Sent: Wednesday, December 06, 2000 8:26 PM
To: Farrukh.Najmi@east.sun.com; ebxml-regrep@lists.ebxml.org
Subject: Re: ebXML Registry Security Proposal



Attachment added this time.

<Farrukh.Najmi@east.sun.com> wrote:
>Date: Wed, 06 Dec 2000 23:21:24 -0500
>
>Attached is a slide presentation that reflects the current state of the
>security
>proposal for ebXML Registry security. It reflects joint work between
Krishna,
>Steve Hanna and myself.
>
>This proposal was presented to the ebXML Security
>team's f2f meeting today. The security team felt that the proposal was
pretty
>close to what is needed for a minimal yet effective Release 1 solution and
>one that fits well with teh works of the security team.
>
>On the issue of whether we can only rely on Certificate based
authentication
>and not do userid/password based authentication the feelking was that it
was
>a good idea because it provide a more secure solution in which content
could
>be traced to its submitter more reliably. The model adds small cost to SO
>(less than $50 per year), and provides more trustworthy content to the
majority
>of users of the registry who are simply browsing and retrieving content. So
>from a security standpoint it is a good compromise. However, it was
suggested
>that the Registry team validate that it is OK to not do userid/password.
IMHO,
>we
>should at the very least push userid/password to pahse 2 or better just
leave
>it out all together.
>
>Please send your thoughts as we will need to add this proposal to the spec
in
>the
>next few weeks.
>
>--
>
>Regards,
>Farrukh
>
>
>




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Search: Match: Sort by:
Words: | Help


Powered by eList eXpress LLC