RE: Security Discussion: Changed Agenda: Teleconference : 12/21/200012:30-4pm CDT : RIM discussion follow-up

["Nieman, Scott" <Scott.Nieman@NorstanConsulting.com>]

Based on a number of responses, the security discussion will be postponed
until a later time.
Scott

-----Original Message-----
From: Krishna Sankar [mailto:ksankar@cisco.com]
Sent: Wednesday, December 20, 2000 3:26 PM
To: ebxml-regrep@lists.ebxml.org; ebxml-ta-security@lists.ebxml.org
Subject: RE: Security Discussion: Changed Agenda: Teleconference :
12/21/200012:30-4pm CDT : RIM discussion follow-up


Chris,

	Exactly. My suggestion (like yours and others) is to get enough
functionalities thru the current documents and move forward. No new
services.

	Just a few points :

	1.	No need for UN/PW
	2.	Don't need rot13 either ;-)

	But, looks like there were some discussions at the STC level and if
so, it
is better for all of us to have a separate security con call and discuss
this.

	BTW, I will attend tomorrow's TRP con call for 8:00-9:00 and also
the f2f
in London. I think all the required basics are there, at some level. We just
need to work out the integration and show a path from here to there. We can
show that as a part of the regrep security document and refer to your
security document at the appropriate places.

	Are you near San Jose ? If so, we could meet and hammer this out at
a
preliminary level. Any suggestions ?

	cheers

> -----Original Message-----
> From: christopher ferris [mailto:chris.ferris@east.sun.com]
> Sent: Wednesday, December 20, 2000 1:06 PM
> To: Krishna Sankar
> Cc: ebxml-regrep@lists.ebxml.org; ebxml-ta-security@lists.ebxml.org
> Subject: Re: Security Discussion: Changed Agenda: Teleconference :
> 12/21/200012:30-4pm CDT : RIM discussion follow-up
>
>
> Krishna,
>
> The TR&P MS spec will have a security section. I have sent an early
> draft to the ta-security list and I invite comments/feedback.
>
> This provides for signing (as well as encryption) of messages
> with bindings for XMLDSIG, S/MIME and PGP/MIME. I could add rot13
> too if there is interest;-)
>
> Signing of the message (over a MAC) provides for authentication.
> How is this inadequate? I can understand the need to possibly
> provide for user/password authentication, but that doesn't have
> (IMHO) the requisite strength needed for regrep update access.
>
> However, S2ML does provide a means of conveying credentials
> and they include a mapping for login/password. Maybe we could
> lift what gets published in v0.8 to that purpose.
>
> Bottom line for me is that we NOT reinvent the wheel.
>
> Cheers,
>
> Chris
>
> Krishna Sankar wrote:
> >
> > Yep, we have the security services group by OASIS and Chris is
> right saying
> > that we should work with that group - I have expressed my interest in
> > participating. As far as I know the S2ML does address some parts and we
> > could extend the result of the OASIS working group.
> >
> > The question is, what do we do for Release 1 ? Especially as
> the registry
> > requires authentication and sigining of content.
> >
> > cheers
> >
> > > -----Original Message-----
> > > From: christopher ferris [mailto:chris.ferris@east.sun.com]
> > > Sent: Wednesday, December 20, 2000 12:26 PM
> > > To: Nieman, Scott
> > > Cc: 'ebxml-regrep@lists.ebxml.org'; 'ebxml-stc@lists.ebxml.org';
> > > ebxml-ta-security@lists.ebxml.org
> > > Subject: Re: Security Discussion: Changed Agenda: Teleconference :
> > > 12/21/200 012:30-4pm CDT : RIM discussion follow-up
> > >
> > >
> > > Scott,
> > >
> > > When the S2ML initiative was announced, people asked if it
> > > overlapped with the work being done at ebXML.
> > >
> > > The correct, IMHO, answer at that time was: S2ML defines security
> > > services for authentication and authorization that can be carried
> > > over any protocol (e.g. SOAP, XP, ebXML). The OASIS TC formed will
> > > be focused on this very set of services.
> > >
> > > Defining an ebXML Security Service(s) at this time would be, IMHO,
> > > doing exactly what S2ML was perceived (incorrectly) of doing...
> > > entering a space which is already being addressed by experts in
> > > the field in an OPEN forum (OASIS).
> > >
> > > Now, given that security IS important for RR and that it is currently
> > > being defined in TR&P, BP, TP and TA (as an overarching architectural
> > > view
> > > of the works of the other teams), I think that we should be taking
> > > a close look at what is being defined before launching into
> yet another
> > > specification initiative at this late date in the process.
> > >
> > > >From my point of view, RR is simply a specialized business process.
> > > If the needs of RR are not being addressed by the BP, TP and TR&P
> > > specification offerings, then we need to think our work through
> > > more carefully and fill in any gaps that may exist.
> > >
> > > Please, let's not start up yet another splinter group to tackle
> > > an issue that MAY already be addressed within the groups
> > > already focused on security. If anything, the work MUST be
> > > tightly coordinated with the other efforts working on security.
> > >
> > > Please DO keep in mind that once you start down this path, the
> > > next phase you enter will be PKI, and I don't think you want to
> > > go there.
> > >
> > > My $0.02,
> > >
> > > Chris
> > > "Nieman, Scott" wrote:
> > > >
> > > > To follow-up regarding the StC conversation today, I would like
> > > to invite
> > > > Rik, Marty, Sid, Nick and anyone else to join the scheduled RR
> > > > teleconference tomorrow, to discuss a potential need for a
> > > separate ebXML
> > > > Security Service, specifically to handle authentication,
> encryption, and
> > > > decryption needs.   Messages and payloads could be processed
> > > through this
> > > > service.
> > > >
> > > > RR is concerned about overlap, and general architectural
> > > issues.  At this
> > > > time, RR is specifying this functionality, however, this
> > > functionality is
> > > > also required for normal B2B.  Specifying a single Security
> > > Service would
> > > > enable RR to focus on role-based authorizations, integrity, etc.
> > > >
> > > > I would like this discussion to last no more than one hour,
> with that
> > > > discussion to be the first topic.
> > > >
> > > > Scott
> > > >
> > > > -----Original Message-----
> > > > From: Nieman, Scott [mailto:Scott.Nieman@NorstanConsulting.com]
> > > > Sent: Tuesday, December 19, 2000 4:35 PM
> > > > To: 'ebxml-regrep@lists.ebxml.org'
> > > > Subject: Teleconference : 12/21/2000 12:30-4pm CDT : RIM discussion
> > > > follo w-up
> > > >
> > > > Meeting Date: 12/21/2000
> > > > Meeting Time: 12:30-4pm CDT (please note CDT)
> > > >
> > > > The dialup information is:
> > > > USA: 800.892.0357
> > > > Sorry no toll-free for International callers: usa 612.352.7899
> > > > Meeting ID #8186
> > > > 25 locations setup
> > > >
> > > > Agenda: Review the RIM updates based on input from 12/19 telcon.
> > > >
> > > > Please read the document prior to the call.
> > > >
> > > > Regards,
> > > >
> > > > Scott
> > >